[18274] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Juan M. Courcoul)
Thu Dec 21 13:39:55 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A41965C.8B7A68E4@campus.qro.itesm.mx>
Date: Wed, 20 Dec 2000 23:34:20 -0600
Reply-To: "Juan M. Courcoul" <courcoul@CAMPUS.QRO.ITESM.MX>
From: "Juan M. Courcoul" <courcoul@CAMPUS.QRO.ITESM.MX>
X-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Paul Szabo wrote:
>
> Juergen P. Meier <jpm@class.de> wrote:
>
> > Solaris /usr/sbin/patchadd is a /bin/ksh script.
> > The problem lies in the vulnerability of ksh.
>
> Damn: thus it would seem that not only sh, but also ksh is vulnerable!
>
> > However: Sun Microsystems does recommend to only install
> > patches at single-user mode (runlevel S). ...
> > ... if you follow the Vendors recommendations, you are
> > not vulnerable.
>
> The attacker can create the symlinks before you go single-user. As the
> original poster Jonathan Fortin <jfortin@REVELEX.COM> said:
>
> > Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on
Unless you changed the way Solaris does things, my recommendation to shut the
machine down, start it up with 'boot -s' and then patch takes care of this.
By default Solaris maps /tmp onto the paging area (meaning there is no physical
/tmp partition), so everytime the machine restarts you get a sparking clean
/tmp, with no residues from its previous life. Volia ! No symlinks...
J. Courcoul
