>The same sort of problem existed in solaris /bin/su on 2.5 and below. > >The comments in the quick proof of concept sploit below should explain >further [heh - almost as high a comment/code ratio as Hobbit's netcat >source :) ]. The version of Solaris that fixed this made several changes; Instead of not trapping signals and Sorry/sleep/syslog the new version traps (some) signals and reorders the calls to syslog/sleep/Sorry. Of course, since you started the process you can still kill -9 it but you won't know whether you typed the right password until long after syslog() logged the bad "su". Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:04 PDT