[21112] in bugtraq
Re: pmpost - another nice symlink follower
daemon@ATHENA.MIT.EDU (Damian Menscher)
Wed Jun 20 08:50:22 2001
Date: Wed, 20 Jun 2001 01:55:51 -0500 (CDT)
From: Damian Menscher <menscher@uiuc.edu>
Reply-To: Damian Menscher <menscher@uiuc.edu>
To: <bugtraq@securityfocus.com>
In-Reply-To: <20010619093557.A20737@ii.uib.no>
Message-ID: <5705323910D7D2118E3400C00D0062C1A8C7CA-100000@phyexha.physics.uiuc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 19 Jun 2001, Jan-Frode Myklebust wrote:
> On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote:
> > there is a symlink handling problem in the pcp suite from SGI. The
> > binary pmpost will follow symlinks, if setuid root this leads to instant
> > root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> > package, though).
>
> It's probably a very rare package under linux, but
> more common under IRIX. I just tested your exploit
> against SGI's binary release of PCP 2.1 under IRIX
> 6.5.12m, and it worked just fine (after minor fixes).
Comparing notes with Jan-Frode indicated that SGI has released more than
one version of PCP 2.1. Not all versions are vulnerable (PCP 2.1 under
6.5.6m was not). One way to check if you're vulnerable is to do a:
strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR
If this string appears, you're vulnerable. If it doesn't, you're
probably not. Of course, to be safe you could always do the chmod.
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
