[2109] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Pug)
Wed Aug 16 11:05:08 1995
Date: Wed, 16 Aug 1995 08:49:30 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Pug <pug@arlut.utexas.edu>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508142126.PAA07715@crimelab.com> from "Scott Chasin" at Aug
14, 95 03:26:33 pm
Okay, I must be missing something.
> OPERATING SYSTEM(S):
> Solaris 2.x (Sunos 5.x)
???? I'm on 2.4 HW 3/95 (plus a bunch of patches of course) and can't
find this hole. I'm looking to see if we still have a 2.3 machine
around.
> DESCRIPTION:
> A race condition exists in /usr/bin/ps when ps opens a temporary
> file when executed. After opening the file, /usr/bin/ps chown's the
> temporary file to root and the renames it to /tmp/ps_data.
Well, I can't seem to find the temp files, even while running the exploit.
(With a while (1) ls -l ps.* |& grep -v "No match" running.)
> WORKAROUND:
> chmod +t /tmp
If this is the truth. That means all of us *not* running with tmpfs will
be affected. There is a bug in the code that the sticky bit works
correctly on tmpfs but not on ufs.
> unlink ("/tmp/ps_data");
Uhh. On my system this won't work since /tmp/ps_data is 664. Or is this
a matter of trying to catch the program twice?
> if (!strncmp (dp->d_name, "ps.", 3))
> sprintf (name, "/tmp/%s", dp->d_name);
I can't find this tmp file. I've checked the sources and it clearly does
create I just haven't been able to catch it. I'll keep trying though.
Mostly I wanted to point out the bugs in ufs /tmp with sticky bit on.
Ciao,
--
Richard Bainter Mundanely | System Analyst - OMG/CSD
Pug Generally | Applied Research Labs - U.Texas
pug@arlut.utexas.edu | pug@eden.com | {any user}@pug.net
Note: The views may not reflect my employers, or even my own for that matter.
