Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
Pug (pug@arlut.utexas.edu)
Wed, 16 Aug 1995 08:49:30 -0500
Okay, I must be missing something.
> OPERATING SYSTEM(S):
> Solaris 2.x (Sunos 5.x)
???? I'm on 2.4 HW 3/95 (plus a bunch of patches of course) and can't
find this hole. I'm looking to see if we still have a 2.3 machine
around.
> DESCRIPTION:
> A race condition exists in /usr/bin/ps when ps opens a temporary
> file when executed. After opening the file, /usr/bin/ps chown's the
> temporary file to root and the renames it to /tmp/ps_data.
Well, I can't seem to find the temp files, even while running the exploit.
(With a while (1) ls -l ps.* |& grep -v "No match" running.)
> WORKAROUND:
> chmod +t /tmp
If this is the truth. That means all of us *not* running with tmpfs will
be affected. There is a bug in the code that the sticky bit works
correctly on tmpfs but not on ufs.
> unlink ("/tmp/ps_data");
Uhh. On my system this won't work since /tmp/ps_data is 664. Or is this
a matter of trying to catch the program twice?
> if (!strncmp (dp->d_name, "ps.", 3))
> sprintf (name, "/tmp/%s", dp->d_name);
I can't find this tmp file. I've checked the sources and it clearly does
create I just haven't been able to catch it. I'll keep trying though.
Mostly I wanted to point out the bugs in ufs /tmp with sticky bit on.
Ciao,
--
Richard Bainter Mundanely | System Analyst - OMG/CSD
Pug Generally | Applied Research Labs - U.Texas
pug@arlut.utexas.edu | pug@eden.com | {any user}@pug.net
Note: The views may not reflect my employers, or even my own for that matter.