Re: Solaris patchadd(1) (3) symlink vulnerabilty

[Jonathan Fortin <Jfortin () REVELEX COM>]

Greetings,

It is not the shells fault in this case, it's the shellscript it's self that
is creating a faulty temp file, exampled pulled from the script,

tmp=$($GREP PATCHID $i), It's obvious that their completely retarded
whoever created patchadd.


The only solution to protect yourself would be mounting it with
nosymfollow if its available in solaris, since it's not in the version I
tryed, solaris 7, then we are kinda stuck with a bulky solution..


Sincerely,

Jonathan


-----Original Message-----
From: Paul Szabo
To: BUGTRAQ () SECURITYFOCUS COM
Sent: 20/12/00 5:13 PM
Subject: Re: Solaris patchadd(1)  (3) symlink vulnerabilty

Juergen P. Meier <jpm () class de> wrote:

> Solaris /usr/sbin/patchadd is a /bin/ksh script.
> The problem lies in the vulnerability of ksh.

Damn: thus it would seem that not only sh, but also ksh is vulnerable!

> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). ...
> ... if you follow the Vendors recommendations, you are
> not vulnerable.

The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortin () REVELEX COM> said:

> Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are
on

Paul Szabo - psz () maths usyd edu au
http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006
Australia