[18288] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Juergen P. Meier)
Thu Dec 21 15:36:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001221120931.A23523@fm.rz.fh-muenchen.de>
Date: Thu, 21 Dec 2000 12:09:31 +0100
Reply-To: jpm@class.de
From: "Juergen P. Meier" <jpm@CLASS.DE>
X-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200012202213.JAA03182@milan.maths.usyd.edu.au>; from
psz@MATHS.USYD.EDU.AU on Thu, Dec 21, 2000 at 09:13:29AM +1100
On Thu, Dec 21, 2000 at 09:13:29AM +1100, Paul Szabo wrote:
> Juergen P. Meier <jpm@class.de> wrote:
>
> > Solaris /usr/sbin/patchadd is a /bin/ksh script.
> > The problem lies in the vulnerability of ksh.
>
> Damn: thus it would seem that not only sh, but also ksh is vulnerable!
seems so :(
> > However: Sun Microsystems does recommend to only install
> > patches at single-user mode (runlevel S). ...
> > ... if you follow the Vendors recommendations, you are
> > not vulnerable.
>
> The attacker can create the symlinks before you go single-user. As the
> original poster Jonathan Fortin <jfortin@REVELEX.COM> said:
>
> > Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on
>
> Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics University of Sydney 2006 Australia
I do indeed stand corrected: The only 2 sollutions are:
1) change to single user mode by means of init S
and rm -rf /tmp/* /tmp/.*
2) shutdown and boot -s into single user mode.
you should do this at least once (when sun releases the shell-patches ;)
have a nice day,
Juergen
--
Juergen P. Meier email: jpm@class.de
