[2115] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Neil Readwin)
Wed Aug 16 15:43:34 1995
Date: Wed, 16 Aug 1995 19:14:53 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Neil Readwin <nreadwin@london.micrognosis.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508161214.IAA02595@hausdorff.math.psu.edu> from "Dan Cross"
at Aug 16, 95 08:14:24 am
Dan Cross writes:
> However, an extremely worthwhile thing to post would be a list of setuid
> programs which make use of /tmp and are exploitable in the same manner.
setuid is not the issue - any program that creates files in /tmp and
reopens them may be vulnerable. That includes basic things like /bin/sh
(for << documents), so if root ever runs a shell script then an attack may
be possible.
If the sticky bit is not set on /tmp then you are toast - end of story.
--
nreadwin@micrognosis.co.uk Phone: +1 908 855 1221 x519
Anything is a cause for sorrow that my mind or body has made
