[3506] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

/usr/bin/solstice under solaris 5.5

daemon@ATHENA.MIT.EDU (Grant Kaufmann)
Fri Oct 18 21:07:57 1996

Date: 	Fri, 18 Oct 1996 09:36:56 +0200
Reply-To: Grant Kaufmann <gkaufman@cs.uct.ac.za>
From: Grant Kaufmann <gkaufman@cs.uct.ac.za>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

/usr/bin/solstice is a program launcher under solaris 2.5
Unfortunately, for some reason, it is distributed set-gid bin,
and politely launches any programs without revoking this.
The exploit:

---
(ignore any warnings/errors along the way)
/usr/bin/solstice
click Launcher
click Add Applications
fill in any arbitary things for the fields, stick the program
        you want to run as setgid bin (or create a sgid shell)
click on the icon which appears with your app name.
---

As an aside, is there any reason why Solaris distributes
with so many important (like /etc and /bin) as writable by
group? This really converts a lot of not-so-dangerous
set-gid vulnerabilities to root vulnerabilities.

--
Grant
--
http://www.cs.uct.ac.za/~gkaufman/pgp.html


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[3506] in bugtraq

/usr/bin/solstice under solaris 5.5

daemon@ATHENA.MIT.EDU (Grant Kaufmann)Fri Oct 18 21:07:57 1996

daemon@ATHENA.MIT.EDU (Grant Kaufmann)
Fri Oct 18 21:07:57 1996