CVE-2018-14665 exploit: local privilege escalation on Solaris 11

I was investigating another 0day, when I noticed that Solaris 11 is also affected by the recent Xorg local privilege escalation vulnerability (CVE-2018-14665).

For a number of reasons, finding a viable exploitation vector wasn’t trivial in this case: cron/at, passwd/shadow, and sudo don’t seem to work, and I consider ld.config to be too invasive in any case. Therefore, I decided to settle with the less invasive (but still potentially dangerous) privilege escalation method based on /etc/inittab overwrite.

Here’s my fresh exploit:

https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm

Please read comments and code carefully before running it, because if something goes wrong it WILL trash your system. If anyone can come up with a less invasive exploitation vector, ideas and PRs are welcome.

See also my previous exploit for OpenBSD 6.3 and 6.4, and this other variant that exploits the modulepath bug.