[18231] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Juergen P. Meier)
Wed Dec 20 17:07:17 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001220103022.A10172@fm.rz.fh-muenchen.de>
Date: Wed, 20 Dec 2000 10:30:22 +0100
Reply-To: jpm@class.de
From: "Juergen P. Meier" <jpm@CLASS.DE>
X-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200012190800.TAA05385@milan.maths.usyd.edu.au>; from
psz@MATHS.USYD.EDU.AU on Tue, Dec 19, 2000 at 07:00:20PM +1100
Solaris /usr/sbin/patchadd is a /bin/ksh script.
The problem lies in the vulnerability of ksh.
However: Sun Microsystems does recommend to only install
patches at single-user mode (runlevel S). So no other
possibly malicious user can exploit this ksh behaviour.
at least after the ebay desaster we should have all learned
this lesson... ;)
Always do init S before applying solaris patches. (especially
if you do kernel or devicedriver patches, check your readme's).
Again: if you follow the Vendors recommendations, you are
not vulnerable.
cheers,
Juergen
On Tue, Dec 19, 2000 at 07:00:20PM +1100, Paul Szabo wrote:
> Jonathan Fortin <jfortin@REVELEX.COM> wrote:
>
> > When patchadd is executed, It creates a temporary file called
> > "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
> > "/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 ...
>
> I guess that patchadd is a "sh" script using the "<<" construct, this
> being an instance of the bug I reported recently:
>
> http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716@milan.maths.usyd.edu.au
>
> This is essentially the same as the tcsh bug fixed recently in other OSs.
>
> Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics University of Sydney 2006 Australia
--
Juergen P. Meier email: jpm@class.de
