Re: Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]

From: Casper Dik (casperat_private)
Date: Thu Jun 10 1999 - 13:40:51 PDT

Next message: John Daniele: "Re: VVOS/Netscape Bug"

Previous message: James Stephens: "Re: NTMail3 has open relay hole"
Maybe in reply to: Dr. Mudge: "Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>The same sort of problem existed in solaris /bin/su on 2.5 and below.
>
>The comments in the quick proof of concept sploit below should explain
>further [heh - almost as high a comment/code ratio as Hobbit's netcat
>source :) ].


The version of Solaris that fixed this made several changes;
Instead of

	not trapping signals
	and Sorry/sleep/syslog

the new version traps (some) signals and reorders the
calls to syslog/sleep/Sorry.

Of course, since you started the process you can still kill -9 it but
you won't know whether you typed the right password until long after
syslog() logged the bad "su".

Casper

Next message: John Daniele: "Re: VVOS/Netscape Bug"
Previous message: James Stephens: "Re: NTMail3 has open relay hole"
Maybe in reply to: Dr. Mudge: "Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:04 PDT