From bugtraq Sat Jun 26 00:29:41 1999 From: Andrea Costantino Date: Sat, 26 Jun 1999 00:29:41 +0000 To: bugtraq Subject: Solaris 2.5/2.6 DoS X-MARC-Message: https://marc.info/?l=bugtraq&m=93041631315863 Hi all, while playing around with Solaris/SPARC audio device (/dev/audio, linked to CS4231 hardware on /devices/sbus etc.etc.) i mistyped playing and recording buffer, in a simple full duplex phone emulator program i wa testing. While the program was running on an Ultra/1 with Solaris 2.5.1 installed, after a short time the machine rebooted with a kernel panic. Please note that i was running program as a non privileged user (UID!=0). The programming error was a very short buffer, 2 bytes instead of 64 for recording and playing buffer. I've done nothing special in this program, and all system calls i made were standard system calls, as documented in "man audio". I did't repeated the experiment, as Solaris box was used by other people, but i'm pretty sure that with short buffer the machine ran out of some type of resource. In fact, in a short time the X server stopped working. After less than 5 secs it dumped a kernel panic, that rebooted. Nothing happened with a longer buffer (i tried 64 and more bytes). I was sampling 2 bytes for sample, 22050 Hz, Mono, Linear Encoding. As far as I know the /dev/audio permission are 600, with device owned by root, with no user logged on console. When a user logs in console, the login process assign him/her the audio device (with audioctl device also), so any user logging in console has the opportunity to crash the machine, even if a Stop-A -> sync procedure is much simpler if a malicious user has gained access to console :) Anyway, if a user (or the root itself) changes audio permissions to 666, any logged user could easily crash the workstation. Thanks to Sun Microsystem for their wonderful, useless LOTTO random generator called audio device :) . Greetings Andrea Costantino System Operator ( on too much system to fit this signature :) )