Bugtraq mailing list archives

BUGTRAQ ALERT: Solaris 2.x

From: akjoele () shiva ee siue edu (Arve Kjoelen)
Date: Fri, 18 Aug 1995 10:00:24 -0500

I was able to reproduce the problem on a SPARC 5/85 running Solaris 2.5 BETA
within approximately 2.5 minutes when using /usr/bin/ps
I was not very successful in doing so with /usr/ucb/ps.  But then again, may
be I haven't let the job run long enough.

Dave

This is also the case on Solaris 2.3 and 2.4.  /usr/bin/ps is easily compromised,
while /usr/ucb/ps is not.  I ran the job all night on a machine running
Solaris2.3, using /usr/ucb/ps, without success.  However, doing a truss on
both /usr/bin/ps and /usr/ucb/ps reveals what looks to me like identical
procedures for dealing with the /tmp/ps* files:

partial output from truss /usr/bin/ps (after /tmp/ps_data removed):
        getpid()                                        = 26224 [26223]
        access("/tmp/ps.a006Pk", 0)                     Err#2 ENOENT
        open("/tmp/ps.a006Pk", O_WRONLY|O_CREAT|O_EXCL, 0664) = 3
        chown("/tmp/ps.a006Pk", 0, 3)                   = 0
        write(3, "\0\001 s", 4)                         = 4
        write(3, " p t s / 0\0\0\0\0\0\0\0".., 7420)    = 7420
        close(3)                                        = 0
        rename("/tmp/ps.a006Pk", "/tmp/ps_data")        = 0

Partial output from truss /usr/ucb/ps (after /tmp/ups_data removed):
        getpid()                                        = 26089 [26088]
        access("/tmp/ps.a006Nd", 0)                     Err#2 ENOENT
        open("/tmp/ps.a006Nd", O_WRONLY|O_CREAT|O_EXCL, 0664) = 4
        chown("/tmp/ps.a006Nd", 0, 3)                   = 0
        write(4, "\0\001 s", 4)                         = 4
        write(4, " p t s / 0\0\0\0\0\0\0\0".., 7420)    = 7420
        write(4, "\0\0 $FC", 4)                         = 4
        write(4, " P R _ S I Z E\0\0\0\0\0".., 189360)  = 189360
        write(4, "\0\0\004F006D998F0\t l10".., 40)      = 40
        close(4)                                        = 0
        rename("/tmp/ps.a006Nd", "/tmp/ups_data")       = 0

My question is: Why doesn't the psrace program work on /usr/ucb/ps ?

Arve Kjoelen, System Administrator, Electrical Engineering Dept.,
Southern Illinois University at Edwardsville, 618-692-2524

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzAvqdwAAAEEAKRdBFn7O/h+wz3tOQwHWvaFKS6gi+UezzCXli/QnuCrJcUE
agvlVVZ/PzKG5i23VdbghyHsVElvKzRW/D1pYor6xSluCftXzSxbCuiEIe2SXUsH
65AqFN688upXzRKHcq3bU/eKB7xUOGqCDot8AzModnwE+XWCgdqn8CTZCNGhAAUR
tCJBcnZlIEtqb2VsZW4gPGFram9lbGVAZWUuc2l1ZS5lZHU+
=csFb
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Re: BUGTRAQ ALERT: Solaris 2.x vulnerability, (continued)
- - - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Alexander L. Haiut (Aug 16)
    - /proc ps for Solaris 2.X Doug Hughes (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Dan Thorson (Aug 15)
  - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Aleph One (Aug 15)
    - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Nathan Lawson (Aug 16)
    - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Patrick Hess (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Nathan Lawson (Aug 16)
  - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Darren Reed (Aug 17)
  - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Casper Dik (Aug 17)
    - BUGTRAQ ALERT: Solaris 2.x Arve Kjoelen (Aug 18)
    - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability System Administrator (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability David Rukshin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Mark Graff (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Paul Ashton (Aug 18)