[18289] in bugtraq
Re: Solaris patchadd(1) (3) symlink vulnerabilty
daemon@ATHENA.MIT.EDU (Jonathan Fortin)
Thu Dec 21 15:38:36 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <E958B1BE26C6D411B7EF00B0D021DD910A9ABD@PINKY>
Date: Thu, 21 Dec 2000 07:44:57 -0500
Reply-To: Jonathan Fortin <Jfortin@REVELEX.COM>
From: Jonathan Fortin <Jfortin@REVELEX.COM>
X-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Greetings,
It is not the shells fault in this case, it's the shellscript it's self that
is creating a faulty temp file, exampled pulled from the script,
tmp=$($GREP PATCHID $i), It's obvious that their completely retarded
whoever created patchadd.
The only solution to protect yourself would be mounting it with
nosymfollow if its available in solaris, since it's not in the version I
tryed, solaris 7, then we are kinda stuck with a bulky solution..
Sincerely,
Jonathan
-----Original Message-----
From: Paul Szabo
To: BUGTRAQ@SECURITYFOCUS.COM
Sent: 20/12/00 5:13 PM
Subject: Re: Solaris patchadd(1) (3) symlink vulnerabilty
Juergen P. Meier <jpm@class.de> wrote:
> Solaris /usr/sbin/patchadd is a /bin/ksh script.
> The problem lies in the vulnerability of ksh.
Damn: thus it would seem that not only sh, but also ksh is vulnerable!
> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). ...
> ... if you follow the Vendors recommendations, you are
> not vulnerable.
The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortin@REVELEX.COM> said:
> Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are
on
Paul Szabo - psz@maths.usyd.edu.au
http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006
Australia
