[5248] in bugtraq
Re: HP UX Bug :)
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Wed Sep 3 01:04:27 1997
Date: Tue, 2 Sep 1997 03:29:03 -0400
Reply-To: Brian Mitchell <brian@FIREHOUSE.NET>
From: Brian Mitchell <brian@FIREHOUSE.NET>
X-To: Leonid S Knyshov <wiseleo@JUNO.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19970901.150811.14382.4.wiseleo@juno.com>
On Mon, 1 Sep 1997, Leonid S Knyshov wrote:
> However, it wipes out the target file. A symlink to /etc/passwd comes to
> mind.
the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.
>
> But, since it follows the umask, it might be possible to replace binaries
> executed by system...
See above.
>
> In any event, a very dangerous condition...
Indeed. .forward/.rhosts is the most obvious attack.
>
> I do not have the access to source code, so I can't think of a patch.
> Probably replace getenv with getuid or something like that.
It's kinda lame, but:
remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,
ruid=you).
