Bugtraq mailing list archives
Re: pmpost - another nice symlink follower
From: Damian Menscher <menscher () uiuc edu>
Date: Wed, 20 Jun 2001 01:55:51 -0500 (CDT)
On Tue, 19 Jun 2001, Jan-Frode Myklebust wrote:
On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote:there is a symlink handling problem in the pcp suite from SGI. The binary pmpost will follow symlinks, if setuid root this leads to instant root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE package, though).It's probably a very rare package under linux, but more common under IRIX. I just tested your exploit against SGI's binary release of PCP 2.1 under IRIX 6.5.12m, and it worked just fine (after minor fixes).
Comparing notes with Jan-Frode indicated that SGI has released more than
one version of PCP 2.1. Not all versions are vulnerable (PCP 2.1 under
6.5.6m was not). One way to check if you're vulnerable is to do a:
strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR
If this string appears, you're vulnerable. If it doesn't, you're
probably not. Of course, to be safe you could always do the chmod.
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher () uiuc edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
Current thread:
- pmpost - another nice symlink follower Paul Starzetz (Jun 18)
- Re: pmpost - another nice symlink follower Jan-Frode Myklebust (Jun 19)
- Re: pmpost - another nice symlink follower Damian Menscher (Jun 20)
- Re: pmpost - another nice symlink follower Keith Owens (Jun 19)
- Re: pmpost - another nice symlink follower Lynton Clamp (Jun 19)
- Re: pmpost - another nice symlink follower Roman Drahtmueller (Jun 19)
- Re: pmpost - another nice symlink follower Dale Southard (Jun 19)
- Re: pmpost - another nice symlink follower Jan-Frode Myklebust (Jun 19)