Bugtraq mailing list archives
Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: "Juan M. Courcoul" <courcoul () CAMPUS QRO ITESM MX>
Date: Wed, 20 Dec 2000 23:27:25 -0600
"Juergen P. Meier" wrote: ...
However: Sun Microsystems does recommend to only install patches at single-user mode (runlevel S). So no other possibly malicious user can exploit this ksh behaviour.
True single-user mode, meaning the state of the machine after it starts with a 'boot -s' is, indeed, the safest state in which to apply patches, especially those that have systemwide consequences. However, application patches can be cautiously applied, like Sun recommends, "with the system with a minimum of activity". ...
Always do init S before applying solaris patches. (especially if you do kernel or devicedriver patches, check your readme's).
Unless you are running a recent (>= Solaris 7) version, I would emphatically recommend that you shut the machine down, start it with a 'boot -s', and then apply your recommended patches in THIS single-user mode. My experience with previous versions (we've been running Solaris hosts since 2.3) is that 'init S' does not garantee that all multiuser processes get killed, since not all of these have the corresponding Kxxx shutdown scripts in the appropiate rcX.d directory. Sure, users do get booted out, but the processes continue running happily, so you can still find yourself in a pickle.
Again: if you follow the Vendors recommendations, you are not vulnerable.
Well... I've seen other vendors shoot themselves in the foot on this one, but that wil be topic for other discussions.
On Tue, Dec 19, 2000 at 07:00:20PM +1100, Paul Szabo wrote:Jonathan Fortin <jfortin () REVELEX COM> wrote:When patchadd is executed, It creates a temporary file called "/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 , "/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 ...I guess that patchadd is a "sh" script using the "<<" construct, this being an instance of the bug I reported recently: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au This is essentially the same as the tcsh bug fixed recently in other OSs.
Current thread:
- Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 18)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Matthew Potter (Dec 20)
- <Possible follow-ups>
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 19)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)