Bugtraq mailing list archives
Pointer to a process's credential structure?
From: fritchie () stolaf edu (Scott Lystig Fritchie)
Date: Wed, 12 Apr 1995 17:44:53 -0500
Hi -- Browsing through some archived "bugtraq" messages I discovered a really nifty way to change the effective and real userid of any process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x). That particular hole is demonstrably exploitable under Solaris 2.3 (and I assume Solaris 2.4), except for one little problem.... ... obtaining a pointer to the process's user credentials structure. SunOS 4.1.x was kind enough to supply "pstat", but that's missing under Solaris 2.x. We've been scratching our head trying to find a Solaris utility that would do the same thing, but can't find one. Obtaining the magic address is pretty simple using: kvm_t *kernel; proc_t *ourproc; if (! (kernel = kvm_open(NULL, NULL, NULL, O_RDONLY, argv[0]))) { perror("kvm_open"); exit(2); } if (! (ourproc = kvm_getproc(kernel, pid))) { perror("kvm_getproc"); exit(3); } printf("p_cred = %lx\n", ourproc->p_cred); ... but it won't work without permission to open /dev/kmem. It's probably a good idea to enable the hardware password feature on our Solaris consoles anyway (or is it?), but if there's a program bundled with Solaris that will spit out that address, there's an added reason for doing so. :-) -Scott --- Scott E. Lystig Fritchie, UNIX Systems Manager Academic Computing Center, St. Olaf College 1510 St. Olaf Ave., Northfield, MN 55057 fritchie () stolaf edu ... 507/646.3407
Current thread:
- Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 12)
- Re: Pointer to a process's credential structure? John F. Haugh II (Apr 16)
- Re: Pointer to a process's credential structure? John C. Orthoefer (Apr 16)
- Re: Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 17)
- Welcome to bugtraq Majordomo () fc net (Apr 20)
- <Possible follow-ups>
- Re: Pointer to a process's credential structure? Patrick Horgan (Apr 13)
- Re: Pointer to a process's credential structure? Scott Fritchie (Apr 14)
- Re: Pointer to a process's credential structure? Frank Byrum (Apr 14)