[325] in bugtraq
Re: pt_chmod
daemon@ATHENA.MIT.EDU (Karl Strickland)
Sat Dec 3 12:14:22 1994
From: Karl Strickland <karl@bagpuss.demon.co.uk>
To: Bela Lubkin <belal@sco.COM>
Date: Sat, 3 Dec 1994 15:25:37 +0000 (GMT)
Cc: bugtraq@fc.net
In-Reply-To: <9412022122.aa19268@srv150a.sco.com> from "Bela Lubkin" at Dec 2, 94 09:22:43 pm
>
> Carson Gaspar wrote:
>
> > Does anyone know what the pt_chmod hole is? The same suid program exists in
> > Solaris 2.x, and knowing Sun's track record...
>
> By my testing, exactly the same bug exists on Solaris 2.3/SPARC;
> however, it does not cause a security hole there. The security hole is
> caused by how the SCO execution environment treats NULL dereferences.
> The same bug probably exists in the pt_chmod source on most System V
> systems; whether it causes a security problem depends on how the OS
> treats NULL dereferences.
>
> Full disclosure has been sent to CERT for dissemination to other OS
> vendors. I am not in a position to publically disclose full details at
you might have cc'd it to 8lgm, to save us a few hours!!! :-)
> this time; I also think that to do so would be rude to other OS vendors
> who have not had a chance to issue their own fixes.
>
> Your pt_chmod is safe if it coredumps when run as `pt_chmod <
> /etc/termcap`. If not, it might or might not be safe. Ask your OS
> vendor, "trace" or "truss".
talking of trace, is sco's trace broken? our copy at least, seems to
miss out system calls. eg for pt_chmod, trace never shows chown(2)
being called; but if you disassemble it or single step it with adb,
you can see that it does actually get called.
>
> I'm sorry that I can't say more.
>
> >Bela<
>
>
Well done for getting those patches out so quickly.
Cheers
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD | Karl Strickland
PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk
|
