[3022] in bugtraq
admintool (was Re: Zolaris 2.5 Exploited.)
daemon@ATHENA.MIT.EDU (anthony baxter)
Fri Jul 26 12:10:31 1996
Date: Fri, 26 Jul 1996 15:10:25 +1000
Reply-To: anthony.baxter@aaii.oz.au
From: anthony baxter <anthony.baxter@aaii.oz.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Message from Leif Hedstrom of 1996-Jul-25 19:49:33,
<199607260249.TAA10928@data.mcom.com>
> Fwiw, I believe "admintool" in Solaris-2.5 has exactly the same problem.
> /tmp/.group.lock for instance is created 666, no security checks...
> Just go to the "Groups" menu, and you'll have a nice and clean /.rhosts
> file to play with... :(
Hell, even easier, /tmp/.pwd.lock - you don't even need to select 'groups'. :)
or /tmp/.hosts.lock, and select 'hosts'.
cat 'clue' | admintool_author@sun.com
chmod ug-s /usr/bin/admintool (it's the only way to be sure)
truss/strace/sctrace/equivalent on applications such as these can be
quite enlightening (if nothing else, look for 'open()' calls.
Anthony
