[18255] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Paul Szabo)
Thu Dec 21 00:20:16 2000
Message-Id: <200012202213.JAA03182@milan.maths.usyd.edu.au>
Date: Thu, 21 Dec 2000 09:13:29 +1100
Reply-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
From: Paul Szabo <psz@MATHS.USYD.EDU.AU>
X-To: jpm@class.de
To: BUGTRAQ@SECURITYFOCUS.COM
Juergen P. Meier <jpm@class.de> wrote:
> Solaris /usr/sbin/patchadd is a /bin/ksh script.
> The problem lies in the vulnerability of ksh.
Damn: thus it would seem that not only sh, but also ksh is vulnerable!
> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). ...
> ... if you follow the Vendors recommendations, you are
> not vulnerable.
The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortin@REVELEX.COM> said:
> Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
