Bugtraq mailing list archives
Re: HP Security vulnerability in the man command
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Mon, 5 Jun 2000 11:48:31 -0600
0) HP *still* insists on NOT setting the sticky bit on world-writeable temporary directories (/tmp and /var/tmp) on default installs of HPUX.
If this is the case, then any temporary file which gets reopened is not safe. A *lot* of software does reopening by name. During the OpenBSD security audit, when we started dealing with /tmp issues, I would roughly estimate that about 30% of the 800+ issues we found in our source tree used filename reopening. Like mail, yacc, ed, sed, lex, ... In particular, the entire compiler suite. Without setting foot on a HPUX machine (and instead using an x86 for a foot pedestal) I would bet that the cc -> cpp -> cc1 -> as -> ld toolchain uses filename parameter passing; if HPUX still ships without the +t bit set on /tmp, it should be fairly easy for any user to become another (active) user. I believe l0pht even has a tool to watch /tmp for such things.
Current thread:
- Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
- Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
- Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
- Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
- Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
- Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)