[21093] in bugtraq
Re: pmpost - another nice symlink follower
daemon@ATHENA.MIT.EDU (Jan-Frode Myklebust)
Tue Jun 19 10:10:02 2001
Date: Tue, 19 Jun 2001 09:35:57 +0200
From: Jan-Frode Myklebust <janfrode@parallab.uib.no>
To: bugtraq@securityfocus.com
Message-ID: <20010619093557.A20737@ii.uib.no>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2E3638.F3E822E4@starzetz.de>; from paul@starzetz.de on Mon, Jun 18, 2001 at 07:11:20PM +0200
On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote:
> Hi,
>
> there is a symlink handling problem in the pcp suite from SGI. The
> binary pmpost will follow symlinks, if setuid root this leads to instant
> root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> package, though).
It's probably a very rare package under linux, but
more common under IRIX. I just tested your exploit
against SGI's binary release of PCP 2.1 under IRIX
6.5.12m, and it worked just fine (after minor fixes).
-jf
