Re: License Manager's lockfiles (Solaris 2.5.1)

• Previous message: matthew green: "Re: Incorrect behaviour of setre[ug]id in OpenBSD"
• Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
• Next in thread: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Oct 23,  8:22pm, Roger Harrison ? wrote:
} Subject: Re: License Manager's lockfiles (Solaris 2.5.1)

} So to exploit it, just remove the locksuntechd file and replace it with a
} symlink to a file you want to create.  It will not overwrite existing
} files from the testing that i did.  Then the link is followed and the new
} file is created with mode 666 ownership root.  You can then delete the
} symlink and create a new one to somewhere else and it will work again and
} again and again...what fun.  Users could create .rhosts files, new system
} webpages, new trojan binaries with names spelled slightly off that get
} misspelled often (finger-fineger, pine-pien, ls-sl)  come on.. tell me
} you never typed one of those out wrong while you were typing fast!

Unless you've found another bug, world writeable .rhosts files should be
ignored.  Also, if you don't own the trojan binary files, how are you going
to set the execute bits so that other users can execute them?

• Next message: ibm-ersat_private: "IBM-ERS Security Vulnerability Alert: IBM AIX: automountd daemon"
• Previous message: matthew green: "Re: Incorrect behaviour of setre[ug]id in OpenBSD"
• Maybe in reply to: Joel Eriksson: "License Manager's lockfiles (Solaris 2.5.1)"
• Next in thread: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:01 PDT