[16711] in bugtraq
Re: expoit for locale format string bug (Solaris 2.x)
daemon@ATHENA.MIT.EDU (Drazen Kacar)
Mon Sep 11 14:38:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000911082025.A13772@svarozic.srce.hr>
Date: Mon, 11 Sep 2000 08:20:25 +0200
Reply-To: Drazen Kacar <dave@SRCE.HR>
From: Drazen Kacar <dave@SRCE.HR>
X-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009082224.PAA19280@dilvish.speed.net>; from
dan-bugtraq@DILVISH.SPEED.NET on Fri, Sep 08,
2000 at 03:24:56PM -0700
Dan Harkless wrote:
> Ejovi Nuwere <ejovi@EJOVI.NET> writes:
> > > * Script kiddies: you should modify this code
> > > * slightly by yourself. :)
>
> Has anyone with a Sun support contract heard if a patch for this is
> forthcoming?? As soon as a working version of this exploit is posted,
> all administrators of Solaris systems that allow local user logins are going
> to be in a world of hurt.
Actually, Solaris administrators were in a world of hurt before this was
released. It was known that the problem with NLSPATH exists on some
architectures for quite some time. This is the first Solaris exploit
of that kind that I've seen, but I expected some Solaris utilities to be
voulnerable, although I didn't test it. Exploit release makes more people
aware of the problem, at least.
So... Remove suid/sgid mode from all programs. Copy them to something with
.orig extension, for example. Make a wrapper which removes NLSPATH
from environment and executes corresponding .orig program. Take care
while coding, because you don't want setuid wrapper to be exploitable
with symlink races. Put your wrapper in place of all suid/sgid programs
with those bits turned on.
You should be safe then. Take care when patching, because the patches
will overrwrite the wrapper.
If this looks too drastic, remove suid bit from eject, at least. Users
on servers usually don't need that utility.
--
.-. .-. I don't work for my employer.
(_ \ / _)
| dave@srce.hr
| dave@fly.srk.fer.hr
