[30586] in bugtraq
Re: Red Hat 9: free tickets
daemon@ATHENA.MIT.EDU (Carlos Villegas)
Wed Jul 2 18:26:23 2003
Date: Wed, 2 Jul 2003 17:07:29 -0400
From: Carlos Villegas <villegas@math.gatech.edu>
To: Michal Zalewski <lcamtuf@ghettot.org>
Message-ID: <20030702210729.GQ26929@hemi.math.gatech.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030702110707.I59447-100000@dekadens.ghettot.org>
This way of attack seems useless to me. This is also used on RH 8.0
systems, and for both 8.0 and 9 systems:
drwx------ 4 root root 4096 Jun 27 08:43 /var/run/sudo
Which means that if the packages are properly built (and will make sure
that this directory gets this permissions if it existed before the
rpm is installed), this attack will gain you nothing, since you need
to be root to exploit it. If you can get root access to make this
attack possible, then you might as well launch a shell instead.
Carlos
