Re: Solaris priocntl exploit

From: Jay Beale (jay@bastille-linux.org)
Date: Mon Dec 02 2002 - 08:45:38 PST

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:196-19] Updated xinetd packages fix denial of service vulnerability"

Previous message: Jason Coombs: "RE: Kerberos login sniffer and cracker for Windows 2000/XP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> but unfortunately, priocntl() never check '../' in pc_clname arg
> we can use '../../../tmp/module' to make priocntl() load a module from anywhere

You've got to love when this kind of classic mistake happens in a system call!

I latched onto this one simply because it's the same poor input
validation/permissions check that happens in my favorite old privilege escalator,
userhelper.  ( http://online.securityfocus.com/bid/913 )

This always gets classified as bad input validation.  Is the right answer really
to check for ../ 's or to canonicalize the filename argument and check ownerships
and permissions on the file and parent directories?

  - Jay

Next message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:196-19] Updated xinetd packages fix denial of service vulnerability"
Previous message: Jason Coombs: "RE: Kerberos login sniffer and cracker for Windows 2000/XP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 13:23:42 PST