> If pathetic.sun.com were a Solaris 2.7 machine with pathetic > as its hostname, and a vulnerable Primary name server, > an exploit attempt would look like this: > > Execute commands to spoof reboot off Primary NS here > ./amountdexp pathetic.sun.com pathetic reboot 1 > > If pathetic.sun.com were a Solaris 2.5.1 machine with pathetic > as its hostname, an exploit attempt would look like this: > > ./amountdexp pathetic.sun.com pathetic reboot 0 Since tehre's no such thing as Solaris 2.7, I'm surprised it works tehre. Did you perhaps try it on the beta? My Solaris 7 system complains: Jan 5 09:47:31 room101 automountd[222]: Illegal access attempt by uid=1 - reque st ignored Jan 5 09:47:46 room101 statd[217]: statd: cannot talk to lockd at room101, RPC: Timed out(5) Statd doesn't run as root in Solaris 7 so the automounter will ignore its requests. This change was made late in Solaris 7 development and did not make it into any external release. The easiest way to work around this problem quickly is runnign statd as a user other than root, to this end change in /etc/init.d/nfs.client as follows (but not on Solaris 7, where such a change may break statd) 28c28 < /usr/lib/nfs/statd > /dev/console 2>&1 --- > su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1 (make sure you keep the links in /etc/rc?.d/[SK]*nfs.client pointing to /etc/init.d/nfs.client) and run: chown -R daemon /var/statmon chmod -R og-w /var/statmon Then stop and start lockd & statd. Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:27 PDT