[4520] in bugtraq
Re: SunOS exploit.
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue May 20 08:42:59 1997
Date: Tue, 20 May 1997 09:43:11 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 19 May 1997 04:14:21 -0000."
<Pine.LNX.3.95.970519041102.4643C-100000@sedated.net>
>This worked on SunOS 5.5.1 Generic_103640-05 sun4m sparc.
>
>Please mind you that this only works on versions of programs
>that use getenv("USER"); to obtain the username, i'm also aware
>anyone who uses elm on ANY system, linux, bsd, SunOS included
>can read any users mail :P. getenv("USER") on programs that are
>reliant on the USERNAME isn't safe especially when there +s'ed.
SunOS 5.x/Soalris 2.x doesn't come with chfn/chsh. So if you have binaries
that produce this bug under SunOS 5.5.1, you have installed them yourself.
BTW, for proper operation chfn/chsh like programs need to be set-uid.
Casper
