On Tue, 19 Jun 2001, Jan-Frode Myklebust wrote: > On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote: > > there is a symlink handling problem in the pcp suite from SGI. The > > binary pmpost will follow symlinks, if setuid root this leads to instant > > root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE > > package, though). > > It's probably a very rare package under linux, but > more common under IRIX. I just tested your exploit > against SGI's binary release of PCP 2.1 under IRIX > 6.5.12m, and it worked just fine (after minor fixes). Comparing notes with Jan-Frode indicated that SGI has released more than one version of PCP 2.1. Not all versions are vulnerable (PCP 2.1 under 6.5.6m was not). One way to check if you're vulnerable is to do a: strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR If this string appears, you're vulnerable. If it doesn't, you're probably not. Of course, to be safe you could always do the chmod. Damian Menscher -- --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## <menscherat_private> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==-- --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 05:52:24 PDT