[3398] in bugtraq
Re: Vunerability in HP sysdiag ?
daemon@ATHENA.MIT.EDU (Tobias Richter)
Wed Sep 25 23:15:53 1996
Date: Wed, 25 Sep 1996 22:26:27 +0200
Reply-To: Tobias Richter <tsr@cave.isdn.cs.tu-berlin.de>
From: Tobias Richter <tsr@cave.isdn.cs.tu-berlin.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199609250922.MAA18898@cc.ece.ntua.gr> from "Aggelos P.
Varvitsiotis" at "Sep 25, 96 12:22:47 pm"
> [rest of message deleted]
>
> I verified it for HP-UX 9.0X. Not only that, though. It is not sufficient
> to chmod u-s /bin/sysdiag. This leaves behind a bunch of programs in
> /usr/diag/bin which are still setuid to root and behave quite the same
> (i.e., they don't check for symlinks while creating 0666 log or temp
> files). A non-priviledged user can use any of these to create 0666
> /.rhosts (or whatever else) files, with the known consequences.
But also priviledged users create these 0666 files and will follow
bogus symlinks, too. You just have to create your symlink and wait
for root to do his regular work. Therefore this:
> Proposed solution:
> root# chmod u-s /bin/sysdiag /usr/diag/bin/*
is not enough. You will have to
root# chmod a-x /bin/sysdiag /usr/diag/bin/*
or get a patch quick.
tobias
--
======================================================================
Tobias Richter Try my Homepage: file:/dev/zero
