[21103] in bugtraq
Re: pmpost - another nice symlink follower
daemon@ATHENA.MIT.EDU (Dale Southard)
Tue Jun 19 16:25:00 2001
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
From: Dale Southard <southard1@llnl.gov>
Date: 19 Jun 2001 09:18:48 -0700
Message-ID: <ub666dsbfyv.fsf@zonker.llnl.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
With minor modifications, this also yields root with the IRIX version
of PCP 2.1 running under IRIX 6.5.10. PCP 2.2 under IRIX 6.5.11+ not
tested.
Under IRIX `chmod 555 /usr/pcp/bin/pmpost` mitigates the root
vulnerability (and presumably some of the PCP ``Notice Board''
functionality) until a patch is available.
Paul Starzetz <paul@starzetz.de> writes:
> there is a symlink handling problem in the pcp suite from SGI. The
> binary pmpost will follow symlinks, if setuid root this leads to instant
> root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> package, though).
--
/* Dale Southard Jr. southard1@llnl.gov 925-422-1463 */
/* Computer Scientist, Accelerated Strategic Computing Initiative */
/* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */
/* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
