[2102] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Neil Readwin)
Tue Aug 15 17:43:35 1995
Date: Tue, 15 Aug 1995 21:58:33 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Neil Readwin <nreadwin@london.micrognosis.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508151659.JAA23492@dilger.Eng.Sun.COM> from "Michael Dilger"
at Aug 15, 95 09:59:13 am
Michael Dilger writes:
> I tried this attack on /usr/bin/ps and /usr/ucb/ps, and it works on
> both of them. This makes me think that more than just solaris 2.x
> machines are vulnerable (depending on the /tmp sticky bit).
Many things depend on the /tmp sticky bit, ps was just a convenient
way to get root. crontab can be attacked to overwrite anyone's cron
file when they run 'crontab -e' (Scott, if you think it's worth
posting the code for this let me know) and any of the other things that
stash files in /tmp can be attacked. Neil.
--
nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519
Anything is a cause for sorrow that my mind or body has made
