[18466] in bugtraq
Re: /usr/sbin/audlinks vulnerability
daemon@ATHENA.MIT.EDU (Konrad Rieck)
Mon Jan 8 14:42:59 2001
Mail-Followup-To: Konrad Rieck <kr@r0q.cx>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010105194121.A707@r0q.cx>
Date: Fri, 5 Jan 2001 19:41:21 +0100
Reply-To: Konrad Rieck <kr@R0Q.CX>
From: Konrad Rieck <kr@R0Q.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001228223450.467DD24CE95@lists.securityfocus.com>; from "Optyx
- Uberhax0r Communications"@SECURITYFOCUS.COM on Thu, Dec 28,
2000 at 02:34:50PM -0800
On Thu, Dec 28, 2000 at 02:34:50PM -0800, "Optyx - Uberhax0r Communications"@SECURITYFOCUS.COM wrote:
> /usr/sbin/audlinks has the following behavior:
> $ id
> uid=100(optyx) gid=1(other)
> $ mkdir -p /tmp/b/dev
> $ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
> $ su root
> Password:
> # /usr/sbin/audlinks -r /tmp/b
> # ls -l /.rhosts
> -rw-r--r-- 1 root other 4 Dec 28 14:28 /.rhosts
As far as I know audlinks is deprecated for at least Solaris 8.
Devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the
previous suite of devfs administration tools including audlinks(1M).
Casper Dik already mentioned that the generated /.rhosts file would
be useless if you plan to gain root privilegdes using rsh/rlogin.
But I'd like to add that I can't see a real vulnerability in the above
scenario. audlinks is used to add the audio symlinks and the sound
directory to the devices of a system (/dev), why the hell should an
administrator create these files in a directory owned by user in /tmp.
I can only imagine that an administrator mounts another root filesystem
and creates audlinks manuals, e.g.
/usr/sbin/mount /dev/dsk/c0t0d0s0 /a
/usr/sbin/audlinks -r /a
But in this case /a wouldn't be worldwritable. I can't see any problem
with audlinks. Sorry.
Regards,
Konrad
--
Konrad Rieck <kr@r0q.cx> Roqefellaz - http://www.r0q.cx
Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
-- GPG Public Key http://www.r0q.cx/keys/kr.pub
