Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm]

[tthacker () mtc iitri com (Terrell Thacker)]

> I tried your example on three different Solaris 2.5 machines with varying
> patch levels. On all of them, after setting up the environment as
> specified, running the chkperm command resulted in an error message, and no
> .rhosts file was created in /usr/bin.
>
>
> -----
> % /usr/vmsys/bin/chkperm -l -u foo
> Error creating <gibberish characters>
> -----
>
>
> Was anyone able to successfully reproduce this exploit?
Try running chkperm in a directory that has world write
privilege or in a directory that belongs to bin.  chkperm
on Solaris 2.5 seems to create a file called <gibberish
characters> in the directory from where you execute it.
chkperm needs write access for user bin (or group bin) to
the directory from which you execute it.  It also works
the same with just 'chkperm -l', you can set the environment
variable VMSYS to anything.

You could create the link (to .rhosts in the example) using
the <gibberish characters> file name created by chkperm
and accomplish the same result.

The exploit worked as advertised on a patched Solaris 2.4
machine.  The binaries are definitely different between
2.4 and 2.5.

*-----------------------------------------------------------------------*
      []  [] ###### #####   []      Maryland Technology Center
      ##  ##   ##   ##  ##  ##      IIT Research Institute
      ##  ##   ##   #####   ##
      ##  ##   ##   ##  ##  ##      Terrell Thacker
      ##  ##   ##   ##  ##  ##      tthacker () mtc iitri com
*-----------------------------------------------------------------------*