Bugtraq mailing list archives
Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: Jonathan Fortin <Jfortin () REVELEX COM>
Date: Thu, 21 Dec 2000 07:44:57 -0500
Greetings, It is not the shells fault in this case, it's the shellscript it's self that is creating a faulty temp file, exampled pulled from the script, tmp=$($GREP PATCHID $i), It's obvious that their completely retarded whoever created patchadd. The only solution to protect yourself would be mounting it with nosymfollow if its available in solaris, since it's not in the version I tryed, solaris 7, then we are kinda stuck with a bulky solution.. Sincerely, Jonathan -----Original Message----- From: Paul Szabo To: BUGTRAQ () SECURITYFOCUS COM Sent: 20/12/00 5:13 PM Subject: Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier <jpm () class de> wrote:
Solaris /usr/sbin/patchadd is a /bin/ksh script. The problem lies in the vulnerability of ksh.
Damn: thus it would seem that not only sh, but also ksh is vulnerable!
However: Sun Microsystems does recommend to only install patches at single-user mode (runlevel S). ... ... if you follow the Vendors recommendations, you are not vulnerable.
The attacker can create the symlinks before you go single-user. As the original poster Jonathan Fortin <jfortin () REVELEX COM> said:
Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are
on Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- Re: Solaris patchadd(1) (3) symlink vulnerabilty, (continued)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Dan Harkless (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Cy Schubert - ITSD Open Systems Group (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Szabo (Dec 20)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 22)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juan M. Courcoul (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Juergen P. Meier (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Paul Theodoropoulos (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Peter W (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Jonathan Fortin (Dec 21)
- Re: Solaris patchadd(1) (3) symlink vulnerabilty Neulinger, Nathan R. (Dec 21)