[319] in bugtraq
Re: pt_chmod
daemon@ATHENA.MIT.EDU (Bela Lubkin)
Sat Dec 3 02:19:48 1994
From: Bela Lubkin <belal@sco.COM>
Date: Fri, 2 Dec 1994 21:22:43 -0800
To: bugtraq@fc.net
Carson Gaspar wrote:
> Does anyone know what the pt_chmod hole is? The same suid program exists in
> Solaris 2.x, and knowing Sun's track record...
By my testing, exactly the same bug exists on Solaris 2.3/SPARC;
however, it does not cause a security hole there. The security hole is
caused by how the SCO execution environment treats NULL dereferences.
The same bug probably exists in the pt_chmod source on most System V
systems; whether it causes a security problem depends on how the OS
treats NULL dereferences.
Full disclosure has been sent to CERT for dissemination to other OS
vendors. I am not in a position to publically disclose full details at
this time; I also think that to do so would be rude to other OS vendors
who have not had a chance to issue their own fixes.
Your pt_chmod is safe if it coredumps when run as `pt_chmod <
/etc/termcap`. If not, it might or might not be safe. Ask your OS
vendor, "trace" or "truss".
I'm sorry that I can't say more.
>Bela<
