Bugtraq mailing list archives

Re: Solaris patchadd(1) (3) symlink vulnerabilty

From: "Juan M. Courcoul" <courcoul () CAMPUS QRO ITESM MX>
Date: Wed, 20 Dec 2000 23:27:25 -0600

"Juergen P. Meier" wrote:
...


However: Sun Microsystems does recommend to only install
patches at single-user mode (runlevel S). So no other
possibly malicious user can exploit this ksh behaviour.


True single-user mode, meaning the state of the machine after it starts with a
'boot -s' is, indeed, the safest state in which to apply patches, especially
those that have systemwide consequences. However, application patches can be
cautiously applied, like Sun recommends, "with the system with a minimum of
activity".

...


Always do init S before applying solaris patches. (especially
if you do kernel or devicedriver patches, check your readme's).


Unless you are running a recent (>= Solaris 7) version, I would emphatically
recommend that you shut the machine down, start it with a 'boot -s', and then
apply your recommended patches in THIS single-user mode. My experience with
previous versions (we've been running Solaris hosts since 2.3) is that 'init S'
does not garantee that all multiuser processes get killed, since not all of
these have the corresponding Kxxx shutdown scripts in the appropiate rcX.d
directory. Sure, users do get booted out, but the processes continue running
happily, so you can still find yourself in a pickle.

Again: if you follow the Vendors recommendations, you are
not vulnerable.


Well... I've seen other vendors shoot themselves in the foot on this one, but
that wil be topic for other discussions.


On Tue, Dec 19, 2000 at 07:00:20PM +1100, Paul Szabo wrote:

Jonathan Fortin <jfortin () REVELEX COM> wrote:

When patchadd is executed, It creates a temporary file called
"/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
"/tmp/sh<pidofpatchadd>.3  and assigns them mode 666 ...


I guess that patchadd is a "sh" script using the "<<" construct, this
being an instance of the bug I reported recently:

  http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au

This is essentially the same as the tcsh bug fixed recently in other OSs.

Current thread:

Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 18)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Matthew Potter (Dec 20)
- <Possible follow-ups>
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 19)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
  - Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
    - Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)