[18273] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Juan M. Courcoul)
Thu Dec 21 13:35:06 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A4194BD.916CC630@campus.qro.itesm.mx>
Date: Wed, 20 Dec 2000 23:27:25 -0600
Reply-To: "Juan M. Courcoul" <courcoul@CAMPUS.QRO.ITESM.MX>
From: "Juan M. Courcoul" <courcoul@CAMPUS.QRO.ITESM.MX>
X-To: jpm@class.de
To: BUGTRAQ@SECURITYFOCUS.COM
"Juergen P. Meier" wrote:
...
>
> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). So no other
> possibly malicious user can exploit this ksh behaviour.
True single-user mode, meaning the state of the machine after it starts with a
'boot -s' is, indeed, the safest state in which to apply patches, especially
those that have systemwide consequences. However, application patches can be
cautiously applied, like Sun recommends, "with the system with a minimum of
activity".
...
>
> Always do init S before applying solaris patches. (especially
> if you do kernel or devicedriver patches, check your readme's).
Unless you are running a recent (>= Solaris 7) version, I would emphatically
recommend that you shut the machine down, start it with a 'boot -s', and then
apply your recommended patches in THIS single-user mode. My experience with
previous versions (we've been running Solaris hosts since 2.3) is that 'init S'
does not garantee that all multiuser processes get killed, since not all of
these have the corresponding Kxxx shutdown scripts in the appropiate rcX.d
directory. Sure, users do get booted out, but the processes continue running
happily, so you can still find yourself in a pickle.
> Again: if you follow the Vendors recommendations, you are
> not vulnerable.
Well... I've seen other vendors shoot themselves in the foot on this one, but
that wil be topic for other discussions.
>
> On Tue, Dec 19, 2000 at 07:00:20PM +1100, Paul Szabo wrote:
> > Jonathan Fortin <jfortin@REVELEX.COM> wrote:
> >
> > > When patchadd is executed, It creates a temporary file called
> > > "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
> > > "/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 ...
> >
> > I guess that patchadd is a "sh" script using the "<<" construct, this
> > being an instance of the bug I reported recently:
> >
> > http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716@milan.maths.usyd.edu.au
> >
> > This is essentially the same as the tcsh bug fixed recently in other OSs.
