Bugtraq mailing list archives
Re: From the moderator: READ Please
From: claudio () fire di unipi it (Claudio Telmon)
Date: Mon, 22 May 1995 11:03:20 +0200
I'm sorry for the wasted bandwidth, so I'll send something more interesting (I hope :)). Two problems, not really bugs. I've found them on Linux, but you may find them on other u**x too. 1) Some new releases of sendmail install the program as group kmem. I can't see any good reason for this, if I'm wrong please correct me. This group is dangerous, because it is able to read the kernel and physical memory. I was able to get a shell as group kmem via the old ident bug, and to find some fragments of the shadow passwords file in the kernel memory. Newer bugs may give the same opportunity. 2) There is a (known?) way to run an arbitrary script files as suid/sgid without the neeed to set the permissions bits. All you need is write permissions in the /var/spool/atjobs directory. This because atrun uses the user/group of the files in the directory to suid/sgid before execution. If you can add a link in the directory to your target file, atrun will execute it as suid/sgid. If you have write permissions to a file, you can write a script in it and run it suid to the owner. There are some limits: it won't work on a NFS mounted file system, and maybe it works only on the file system of /var/spool/atjobs. The problem, IMHO, is that using file ownership as sticky bits is not correct. On my linux, the directory is owned by bin. Bin haves little or no other permissions ( most files are owned by root), but this way it becomes a very dangerous user. Ciao - Claudio
Current thread:
- Solaris 2.x utmp hole Scott Chasin (May 17)
- Re: Solaris 2.x utmp hole Jas (May 17)
- Re: Solaris 2.x utmp hole Scott Barman (May 18)
- <Possible follow-ups>
- Re: Solaris 2.x utmp hole cjc () summit novell com (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 19)
- Re: Solaris 2.x utmp hole System Admin (May 18)
- Another translation Patrick Horgan (May 18)
- Re: Solaris 2.x utmp hole gio () DI UniPi IT (May 19)
- From the moderator: READ Please Scott Chasin (May 19)
- Re: From the moderator: READ Please Claudio Telmon (May 22)
- Re: From the moderator: READ Please Greg Woods (May 22)
- Re: From the moderator: READ Please Michael Shields (May 22)
- Re: From the moderator: READ Please Greg Woods (May 22)
- Re: From the moderator: READ Please Robert M. Haas (May 22)
- un-subscribe Karl Kamin (May 22)