On Fri, 23 Oct 1998, Roger Harrison ? wrote: > On Wed, 21 Oct 1998, Joel Eriksson wrote: > > > License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by > > root and mode 666 (worldwrite'able). That is not good, since anyone could > > create rootowned files which they then would be able to modify. It's an > > even bigger problem since it just takes about a minute 'til the lockfile > > is created after it's replaced with a symlink which it follows .. > > I discovered this a few months ago and neglected to post it. > Solaris 2.6 is affected as well. A lock file locksuntechd is created > in /tmp mode 666 owned by root and group root. I think the program is > lmgrd FLEXlm v2.26d that is causing the problems, either that or suntechd. > > %ls -la /tmp/locksuntechd > -rw-rw-rw- 1 root root 0 Oct 22 12:51 locksuntechd > > suntechd is in /opt/SUNWspro/SunTech_License/bin/ > > there is a log file that contains some stuff about when the daemon is > going up or down and also if users are exploiting it you can see entries > about the lock file not being available. It is in > /opt/SUNWspro/SunTech_License/license.log > > So to exploit it, just remove the locksuntechd file and replace it with a > symlink to a file you want to create. It will not overwrite existing > files from the testing that i did. Then the link is followed and the new > file is created with mode 666 ownership root. You can then delete the > symlink and create a new one to somewhere else and it will work again and > again and again...what fun. Users could create .rhosts files, new system > webpages, new trojan binaries with names spelled slightly off that get > misspelled often (finger-fineger, pine-pien, ls-sl) come on.. tell me > you never typed one of those out wrong while you were typing fast! > The version of flexlm your using is ancient. The current version is 6.1. A large number of vulnerabilities in flexlm were made public in Sep 1996. This includes the file permission races in /var/tmp that have been highlighted here. The bottom line is flexlm should NOT be run as root. See http://www.globetrotter.com/auscert.htm for the advisory. Regards Peter Marelas -- /\ The Fulcrum Consulting Group Peter Marelas - Consultant /\O\ Professional Services For Operation Peter.Marelasat_private / /\ Of A Networked Computing Environment ph: +61-3-9621-2100 /o | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia fx: +61-3-9621-2724
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:04 PDT