Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Neil Readwin: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• Previous message: Brian Perkins: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• In reply to: Michael Dilger: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• Next in thread: Brian Perkins: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"

On Tue, 15 Aug 1995, Michael Dilger wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Content-Type: text/plain; charset=us-ascii
>
>
> > B U G T R A Q   A L E R T                           bugtraq-alert-081495.01
> > [...]
> > Scott Chasin
> > chasin@crimelab.com
>
> Good job Scott.
>
> I tried this attack on /usr/bin/ps and /usr/ucb/ps, and it works on
> both of them.  This makes me think that more than just solaris 2.x
> machines are vulnerable (depending on the /tmp sticky bit).
>
> - --
> Michael Dilger
> Michael.Dilger@Sun.COM
> ENS, Network Security Group
> Sun Microsystems, Inc.

I haven't been able to get this to work. It seems that /usr/bin/ps does not
create any files in /tmp. I had two windows open, one doing a while true ; do
ls /tmp ; sleep 1 ; done. And the other trying this exploit. A ps.* file is
never created (rather no files are created in /tmp). I accidentally left the
exploit running all night and it still didn't work. /usr/ucb/ps however does
create a ps_data file, but it doesnt seem to be changed by psrace.

Any ideas?

Also, does sun plan to release a patch, rather than making the /tmp sticky?

Adam

• Next message: Neil Readwin: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• Previous message: Brian Perkins: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• In reply to: Michael Dilger: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
• Next in thread: Brian Perkins: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"