[3488] in bugtraq
Re: solaris 2.4 license-manager bug
daemon@ATHENA.MIT.EDU (Jeffrey Howard)
Wed Oct 16 23:44:27 1996
Date: Thu, 17 Oct 1996 12:45:01 +1000
Reply-To: Jeffrey Howard <jhoward@agso.gov.au>
From: Jeffrey Howard <jhoward@agso.gov.au>
X-To: gkaufman@cs.uct.ac.za
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> Another bug for solaris 2.4
> The license manager must be running, expect both
> lmgrd.ste & suntechd to be somewhere in your process table.
>
> /var/tmp/locksuntechd will be created by anyone who runs
> lmstat, with perms 666 and quite happy to follow symlinks.
> Anyway, here's the exploit.
>
> -+-+-+ CUT
> rm /var/tmp/locksuntechd
> ln -s /.rhosts /var/tmp/locksuntechd
> lmstat -c <insert your license file name here>
>
> NOTES
> lmstat could be anywhere on your filesystem. try /etc/opt/licenses
> I found that sometimes this didn't work first time. It didn't create
> the file. Just run lmstat again and it'll work.
Some observations ...
Lock files are created by the lmgrd process for each license daemon
process it manages when it starts. These lock files are generally owned
by root, the id under which they were started. If the sticky bit is set
on the /var/tmp directory, no normal user will be able to remove the
lock file, thus breaking step 1 of the exploit.
Perhaps there is a window of opportunity if you can create the symbolic
link before the licence manager starts up. Given that the licence
manger generally kicks off at boot, the the /tmp directories will be
flushed during startup, this might also be difficult to pull off.
---
Cheers,
jhoward@agso.gov.au
