Bugtraq mailing list archives
Re: License Manager's lockfiles (Solaris 2.5.1)
From: Peter.Marelas () FULCRUM COM AU (Peter Marelas)
Date: Sat, 24 Oct 1998 20:00:43 +1000
On Fri, 23 Oct 1998, Roger Harrison ? wrote:
On Wed, 21 Oct 1998, Joel Eriksson wrote:License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by root and mode 666 (worldwrite'able). That is not good, since anyone could create rootowned files which they then would be able to modify. It's an even bigger problem since it just takes about a minute 'til the lockfile is created after it's replaced with a symlink which it follows ..I discovered this a few months ago and neglected to post it. Solaris 2.6 is affected as well. A lock file locksuntechd is created in /tmp mode 666 owned by root and group root. I think the program is lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd. %ls -la /tmp/locksuntechd -rw-rw-rw- 1 root root 0 Oct 22 12:51 locksuntechd suntechd is in /opt/SUNWspro/SunTech_License/bin/ there is a log file that contains some stuff about when the daemon is going up or down and also if users are exploiting it you can see entries about the lock file not being available. It is in /opt/SUNWspro/SunTech_License/license.log So to exploit it, just remove the locksuntechd file and replace it with a symlink to a file you want to create. It will not overwrite existing files from the testing that i did. Then the link is followed and the new file is created with mode 666 ownership root. You can then delete the symlink and create a new one to somewhere else and it will work again and again and again...what fun. Users could create .rhosts files, new system webpages, new trojan binaries with names spelled slightly off that get misspelled often (finger-fineger, pine-pien, ls-sl) come on.. tell me you never typed one of those out wrong while you were typing fast!
The version of flexlm your using is ancient. The current version is 6.1. A large number of vulnerabilities in flexlm were made public in Sep 1996. This includes the file permission races in /var/tmp that have been highlighted here. The bottom line is flexlm should NOT be run as root. See http://www.globetrotter.com/auscert.htm for the advisory. Regards Peter Marelas -- /\ The Fulcrum Consulting Group Peter Marelas - Consultant /\O\ Professional Services For Operation Peter.Marelas () fulcrum com au / /\ Of A Networked Computing Environment ph: +61-3-9621-2100 /o | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia fx: +61-3-9621-2724
Current thread:
- SVGATextMode 1.8 /tmp race Adrian Voinea (Oct 21)
- License Manager's lockfiles (Solaris 2.5.1) Joel Eriksson (Oct 21)
- Re : 13 tiny bytes to show the huge sillyness of our great common ga (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) pedward () WEBCOM COM (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) Roger Harrison ? (Oct 23)
- Re: License Manager's lockfiles (Solaris 2.5.1) Peter Marelas (Oct 24)
- Re: SVGATextMode 1.8 /tmp race dumped (Oct 22)
- Re: SVGATextMode 1.8 /tmp race Ben Collins (Oct 22)
- Re: SVGATextMode 1.8 /tmp race Marcelo Roccasalva (Oct 23)
- Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 22)
- Re: Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 23)
- slocate v1.4 klindsay (Oct 24)
- Re: Incorrect behaviour of setre[ug]id in OpenBSD matthew green (Oct 24)
- HP 11.0 sulog Problem Ron Youngclaus (Oct 26)
- License Manager's lockfiles (Solaris 2.5.1) Joel Eriksson (Oct 21)