Bugtraq mailing list archives
Re: HPUX expreserve == SunOS 4.13 expreserve?
From: lopatic () dbs informatik uni-muenchen de (Thomas Lopatic)
Date: Fri, 26 Jul 1996 10:57:09 +0200
Is the "new" hpux expreserve bug the same as the sunos 4.1.3 expreserve bug?
This is a nice example of how to make mistakes efficiently, i. e. two mistakes with only three statements. :D /usr/preserve is world writeable, so anybody is able to create symlinks in there. HP's expreserve uses stat() to find out, whether a file already exists in /usr/preserve. stat() follows links, so they should have used lstat() here which returns information on the link instead of the file it points to. So in this way you are able to create e. g. '/.rhosts'. Which is then owned by yourself. However, HP-UX has the nice feature of enabling you to give files away, so you edit '/.rhosts' and do 'chown root /.rhosts'. After checking with stat(), they do a creat() followed by a chown() which opens a race condition (/usr/preserve doesn't even have the sticky bit set). Therefore we might be able to chown() any local file if we are lucky. The only question is: Why did they set the set-user-id bit on expreserve, if /usr/preserve is world writeable anyway? (And vice versa.) So this makes two mistakes with only stat(), creat() and chown(). Who offers more?:D Oh, by the way, I've reported this to HP in Dec '94 (no typo). And since we are talking about HP... They now have a patch for the rpc.statd stuff. I haven't seen this disclosed here, yet. The rpc.statd creates files in /etc/sm. I haven't verified this, but it seems, that you may pass the rpc.statd a filename containing '..'. This would perfectly match the problem description (create files with mode 0x200, remove them). Can anyone confirm? Oh, the '..' leads us to the award for repeating the same mistake. There was a '..' error in Microsoft's implementation of disk sharing using the SMB protocol (just like the corresponding NFS bug) and there is another '..' error in their Internet Information Server. Anyone offering more? Over and out before I slip completely off topic. -Thomas -- Thomas Lopatic lopatic () informatik uni-muenchen de
Current thread:
- HPUX expreserve == SunOS 4.13 expreserve? Matthew G. Harrigan (Jul 25)
- Re: HPUX expreserve == SunOS 4.13 expreserve? Thomas Lopatic (Jul 26)
- <Possible follow-ups>
- Re: HPUX expreserve == SunOS 4.13 expreserve? Paul Ashton (Jul 26)
- Re: HPUX expreserve == SunOS 4.13 expreserve? Matthew G. Harrigan (Jul 26)
- Microsoft IIS '..' Problem Thomas Lopatic (Jul 26)
- Re: Microsoft IIS '..' Problem John Ladwig (Jul 26)
- Microsoft IIS '..' Problem Thomas Lopatic (Jul 26)