Re: pmpost - another nice symlink follower

From: Dale Southard (southard1at_private)
Date: Tue Jun 19 2001 - 09:18:48 PDT

Next message: Henrik Nordstrom: "Re: The Dangers of Allowing Users to Post Images"

Previous message: Mike McEwen: "Re: SCO Tarantella Remote file read via ttawebtop.cgi"
In reply to: Paul Starzetz: "pmpost - another nice symlink follower"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With minor modifications, this also yields root with the IRIX version
of PCP 2.1 running under IRIX 6.5.10.  PCP 2.2 under IRIX 6.5.11+ not
tested.

Under IRIX `chmod 555 /usr/pcp/bin/pmpost` mitigates the root
vulnerability (and presumably some of the PCP ``Notice Board''
functionality) until a patch is available.

Paul Starzetz <paulat_private> writes:

> there is a symlink handling problem in the pcp suite from SGI. The
> binary pmpost will follow symlinks, if setuid root this leads to instant
> root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> package, though).

-- 

/*  Dale Southard Jr.       southard1at_private        925-422-1463  */
/*  Computer Scientist, Accelerated Strategic Computing Initiative  */
/*  L-550,  Lawrence Livermore National Lab,  Livermore CA   94551  */
/*  AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving  */

Next message: Henrik Nordstrom: "Re: The Dangers of Allowing Users to Post Images"
Previous message: Mike McEwen: "Re: SCO Tarantella Remote file read via ttawebtop.cgi"
In reply to: Paul Starzetz: "pmpost - another nice symlink follower"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 13:25:20 PDT