Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

Neil Readwin (nreadwin@london.micrognosis.com)
Wed, 16 Aug 1995 19:14:53 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: (no name): "personalized /tmp (was: BUGTRAQ ALERT: Solarix 2.x vulnerability)"
Previous message: Patrick Hess: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
In reply to: Dan Cross: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
Next in thread: Dan Cross: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"

Dan Cross writes:
> However, an extremely worthwhile thing to post would be a list of setuid
> programs which make use of /tmp and are exploitable in the same manner.

setuid is not the issue - any program that creates files in /tmp and
reopens them may be vulnerable. That includes basic things like /bin/sh
(for << documents), so if root ever runs a shell script then an attack may
be possible.

If the sticky bit is not set on /tmp then you are toast - end of story.
--
 nreadwin@micrognosis.co.uk       Phone: +1 908 855 1221 x519
 Anything is a cause for sorrow that my mind or body has made

Next message: (no name): "personalized /tmp (was: BUGTRAQ ALERT: Solarix 2.x vulnerability)"
Previous message: Patrick Hess: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
In reply to: Dan Cross: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"
Next in thread: Dan Cross: "Re: BUGTRAQ ALERT: Solaris 2.x vulnerability"