Bugtraq mailing list archives

Solaris 2.3-2.4 Audit Bug

From: dowiii () charlie ksu ksu edu (Dow Summers)
Date: Sat, 11 Feb 1995 16:55:32 -0600 (CST)


I'm sorry if this has been discussed before.

There is a major security problem with auditing under solaris 2.3
and 2.4.  If you run bsmconv to turn on auditing, any user can
break root very very easily.  I'ld say more but I'ld like to give
sun at least a little bit of a chance to fix it first.

I have access to the source code for the os and have tracked down
the one line of bad code.  How can I contact Sun to tell them the
problem with this line of code?????????????


---
dowiii () ksu ksu edu
Dow Summers
Computing and Network Services
Kansas State University

Current thread:

Re: IFS, (continued)
- - - Re: IFS Karl Strickland (Feb 13)
    - Re: IFS Jas (Feb 13)
    - Re: IFS Paul Robinson (Feb 14)
    - Re: IFS David Barr (Feb 15)
    - Re: IFS Julian Assange (Feb 15)
    - Re: IFS Nate Sammons - CVL System Admin (Feb 15)
- Re: SUID shell scripts, questions? David A. Wagner (Feb 10)
  - Re: SUID shell scripts, questions? Peter Wemm (Feb 11)
    - Returned mail: Cannot send message for 2 days Mail Delivery Subsystem (Feb 11)
    - Re: SUID shell scripts, questions? Casper Dik (Feb 11)
    - Solaris 2.3-2.4 Audit Bug Dow Summers (Feb 11)
    - Re: Solaris 2.3-2.4 Audit Bug Christopher Klaus (Feb 12)
- Re: SUID shell scripts, questions? Quentin Fennessy (Feb 10)