[2245] in bugtraq
Re: load.root (loadmodule hole)
daemon@ATHENA.MIT.EDU (Urban)
Mon Sep 18 10:32:05 1995
Date: Mon, 18 Sep 1995 09:18:09 +0200
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Urban <Urban.Kaveus@edt.ericsson.se>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.HPP.3.91.950915154032.10301A-100000@statt.ericsson.se>
Sorry to bother you again, but my previous script did an
uncessesary call to "setuid()".
Here's a one without that call, but still it does not cope with
the underlaying problem, it just makes 8lgm's script inoperable.
Yours
Urban Kaveus
LM Ericsson Data AB
/*****************************************************************
This wrapper program will HOPEFULLY protect you against the
bug in in loadmodule described by 8lgm.
Version 1.1: setuid call removed
Do like this:
First, let us assume you name this program "wrapper.c" and
you store it under /usr/openwin/bin.
Then, execute the following commands as root:
sunos # cd /usr/openwin/bin
sunos # mv loadmodule loadmodule.original
sunos # chmod 700 loadmodule.original
sunos # cc -o loadmodule wrapper.c
sunos # chmod 4755 loadmodule
Now you should have :
sunos # ls -l loadmodule*
-rwsr-xr-x 1 root 24576 Sep 15 12:13 loadmodule
-rwx------ 1 root 24576 Jul 24 17:36 loadmodule.original
Use at own risk !
Written 1995-09-15 by Urban Kaveus, LM Ericsson Data AB
******************************************************************/
#include <string.h>
main(argc,argv,envp)
int argc;
char **argv, **envp;
{
char **c;
c=envp;
while( *c ) {
if (strncmp(*c,"IFS=",4) == 0 ) {
(*c)[4] = 0; /* Truncate all instances of IFS ! */
}
c++;
}
/* Run the original version of loadmodule. */
execve("/usr/openwin/bin/loadmodule.original",
argv, envp );
}
