[10798] in bugtraq
Re: Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri Jun 11 15:28:53 1999
Message-Id: <199906102040.WAA29728@romulus>
Date: Thu, 10 Jun 1999 22:40:51 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: "Dr. Mudge" <mudge@L0PHT.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 10 Jun 1999 14:13:06 CDT."
<Pine.BSO.4.10.9906101400580.15608-100000@l0pht.com>
>The same sort of problem existed in solaris /bin/su on 2.5 and below.
>
>The comments in the quick proof of concept sploit below should explain
>further [heh - almost as high a comment/code ratio as Hobbit's netcat
>source :) ].
The version of Solaris that fixed this made several changes;
Instead of
not trapping signals
and Sorry/sleep/syslog
the new version traps (some) signals and reorders the
calls to syslog/sleep/Sorry.
Of course, since you started the process you can still kill -9 it but
you won't know whether you typed the right password until long after
syslog() logged the bad "su".
Casper
