Bugtraq mailing list archives
Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm]
From: tthacker () mtc iitri com (Terrell Thacker)
Date: Thu, 5 Dec 1996 16:53:56 EST
I tried your example on three different Solaris 2.5 machines with varying patch levels. On all of them, after setting up the environment as specified, running the chkperm command resulted in an error message, and no .rhosts file was created in /usr/bin. ----- % /usr/vmsys/bin/chkperm -l -u foo Error creating <gibberish characters> ----- Was anyone able to successfully reproduce this exploit?
Try running chkperm in a directory that has world write privilege or in a directory that belongs to bin. chkperm on Solaris 2.5 seems to create a file called <gibberish characters> in the directory from where you execute it. chkperm needs write access for user bin (or group bin) to the directory from which you execute it. It also works the same with just 'chkperm -l', you can set the environment variable VMSYS to anything. You could create the link (to .rhosts in the example) using the <gibberish characters> file name created by chkperm and accomplish the same result. The exploit worked as advertised on a patched Solaris 2.4 machine. The binaries are definitely different between 2.4 and 2.5. *-----------------------------------------------------------------------* [] [] ###### ##### [] Maryland Technology Center ## ## ## ## ## ## IIT Research Institute ## ## ## ##### ## ## ## ## ## ## ## Terrell Thacker ## ## ## ## ## ## tthacker () mtc iitri com *-----------------------------------------------------------------------*
Current thread:
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Terrell Thacker (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
- SGI Security Advisory 19961201-01-PX - Desktop searchbook Program SGI Security Coordinator (Dec 05)
- suid_exec problem clarification Yuri Volobuev (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Nikolai Matyushenko (Dec 06)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 06)
- New INN security problems Chris Timmons (Dec 06)
- suid_exec Javier Romeu (Dec 06)
- <Possible follow-ups>
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul Ashton (Dec 06)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Casper Dik (Dec 06)