[15209] in bugtraq
Re: HP Security vulnerability in the man command
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Tue Jun 6 03:37:06 2000
Message-Id: <200006051748.e55HmWD19601@cvs.openbsd.org>
Date: Mon, 5 Jun 2000 11:48:31 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Jason Axley <jason.axley@ATTWS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 02 Jun 2000 10:26:16 PDT."
<Pine.SOL.4.02.10006021014400.4779-100000@nofud.nwest.attws.com>
> 0) HP *still* insists on NOT setting the sticky bit on world-writeable
> temporary directories (/tmp and /var/tmp) on default installs of HPUX.
If this is the case, then any temporary file which gets reopened is
not safe. A *lot* of software does reopening by name.
During the OpenBSD security audit, when we started dealing with /tmp
issues, I would roughly estimate that about 30% of the 800+ issues we
found in our source tree used filename reopening. Like mail, yacc,
ed, sed, lex, ...
In particular, the entire compiler suite. Without setting foot on a
HPUX machine (and instead using an x86 for a foot pedestal) I would
bet that the cc -> cpp -> cc1 -> as -> ld toolchain uses filename
parameter passing; if HPUX still ships without the +t bit set on /tmp,
it should be fairly easy for any user to become another (active) user.
I believe l0pht even has a tool to watch /tmp for such things.
