Bugtraq mailing list archives
sastcpd 8.0 'authprog' local root vulnerability
From: rpc <rpc () unholy net>
Date: Wed, 30 Jan 2002 22:40:58 -0800
Hi, Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software were available to test. Sorry. authprog vulnerability ---------------------- The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid. A sample 'exploit' is attached. netencralg vulnerability ------------------------ I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any value. All test were run on SunOS 5.8. Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0. cheers, --rpc
Attachment:
authme.sh
Description:
Attachment:
_bin
Description:
Current thread:
- sastcpd 8.0 'authprog' local root vulnerability rpc (Jan 30)