Re: Solaris 2.3 login

[matt () uts EDU AU (Jas)]

well i had a bit of a hack around last night with 2.3 login. it seems you
can set enviroment variables with login such as

% exec login user IFS=/

now of course IFS,PTAH,SHELL cant be set but others can! now of course
since login tries to read past the user name you can get login to core dump
quite easily by over feeding it like this

% exec login user "`cat big.binary.file`"

this will quite hapilly core dump login. now i dont see a huge problem so
much from this unless of course someone has managed to compromise saf or
ttymon as well. *shrug* but when it is core dumped it is running as root
and it does leave a world writeable core in /. im not sure if this would
make it insecure as i havent had much experience in cracking systems, but
im sure there are some people out there that can do a fair amount of damage
given a world writable file owned by root. *shrug* will there be a patch?


                                Matt

--

        Matthew Keenan
        Systems Programmer              Information Technology Division
        University of Technology Sydney

        www:    http://milliways.itd.uts.edu.au/~matt/
        email:  matt () uts edu au
        phone:  +61 2 330 1390          "Don't murder a man who is about
        fax:    +61 2 330 1999          to commit suicide."
        home:   +61 2 416 5722          -- Machiaveli

GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$
        P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+
        G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y