[8293] in bugtraq
Re: License Manager's lockfiles (Solaris 2.5.1)
daemon@ATHENA.MIT.EDU (Don Lewis)
Mon Oct 26 14:11:54 1998
Date: Fri, 23 Oct 1998 21:44:41 -0700
Reply-To: Don Lewis <Don.Lewis@TSC.TDK.COM>
From: Don Lewis <Don.Lewis@TSC.TDK.COM>
X-To: Roger Harrison ? <rharri01@KEPLER.POLY.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Roger Harrison ? <rharri01@KEPLER.POLY.EDU> "Re: License
Manager's lockfiles (Solaris 2.5.1)" (Oct 23, 8:22pm)
On Oct 23, 8:22pm, Roger Harrison ? wrote:
} Subject: Re: License Manager's lockfiles (Solaris 2.5.1)
} So to exploit it, just remove the locksuntechd file and replace it with a
} symlink to a file you want to create. It will not overwrite existing
} files from the testing that i did. Then the link is followed and the new
} file is created with mode 666 ownership root. You can then delete the
} symlink and create a new one to somewhere else and it will work again and
} again and again...what fun. Users could create .rhosts files, new system
} webpages, new trojan binaries with names spelled slightly off that get
} misspelled often (finger-fineger, pine-pien, ls-sl) come on.. tell me
} you never typed one of those out wrong while you were typing fast!
Unless you've found another bug, world writeable .rhosts files should be
ignored. Also, if you don't own the trojan binary files, how are you going
to set the execute bits so that other users can execute them?
