Re: pmpost - another nice symlink follower

From: Jan-Frode Myklebust (janfrodeat_private)
Date: Tue Jun 19 2001 - 00:35:57 PDT

Next message: SDL Office: "SurgeFTP vulnerabilities"

Previous message: Roman Drahtmueller: "Re: pmpost - another nice symlink follower"
In reply to: Paul Starzetz: "pmpost - another nice symlink follower"
Next in thread: Damian Menscher: "Re: pmpost - another nice symlink follower"
Next in thread: Keith Owens: "Re: pmpost - another nice symlink follower"
Reply: Damian Menscher: "Re: pmpost - another nice symlink follower"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote:
> Hi,
> 
> there is a symlink handling problem in the pcp suite from SGI. The
> binary pmpost will follow symlinks, if setuid root this leads to instant
> root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> package, though).

It's probably a very rare package under linux, but
more common under IRIX. I just tested your exploit
against SGI's binary release of PCP 2.1 under IRIX
6.5.12m, and it worked just fine (after minor fixes).

  -jf

Next message: SDL Office: "SurgeFTP vulnerabilities"
Previous message: Roman Drahtmueller: "Re: pmpost - another nice symlink follower"
In reply to: Paul Starzetz: "pmpost - another nice symlink follower"
Next in thread: Damian Menscher: "Re: pmpost - another nice symlink follower"
Next in thread: Keith Owens: "Re: pmpost - another nice symlink follower"
Reply: Damian Menscher: "Re: pmpost - another nice symlink follower"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 07:10:32 PDT