Bugtraq mailing list archives
r00t advisory -- sol2.5 su(1M) vunerability
From: gahull () ccs neu edu (Gregory Hull)
Date: Mon, 26 Aug 1996 12:21:48 -0400
r00t advisory [ sol 2.5 su(1M) ] [ Aug 25 1996 ] -- Synposis There exists a vunerability in the su(1M) program that will allow any user to execute arbitray commands as r00t. To expliot this vunerability the malicious hacker must have already obtained sgid sys (not too hard to do!). If sulog doesn't yet exist, su will create it and then chown() it rather than fchown() it resulting in an easily exploitable race condition. -- Exploitability r00t has tested this vunerability and successfully run the id(1) program as euid r00t from a non root account. A simple C program that unlinks the sulog and copies your favorite bin and chmod 4755's it works quite effectively. We have been able to win the race on normally the 4th or 5th try. -- Fixes ? Our suggestion is to move back to a secure 4.2BSD based operating system -- or perhaps just undefine sulog in /etc/default/su or spend a few minutes writing your own version of su. r00t -- we're all idiots.
Current thread:
- Re: Vulnerability in the Xt library Warner Losh (Aug 25)
- Re: Vulnerability in the Xt library Casper Dik (Aug 26)
- r00t advisory -- Sunny Day Virus Gregory Hull (Aug 26)
- r00t advisroy -- sol2.5 at(1) vunerability Gregory Hull (Aug 26)
- r00t advisory -- workman vunerability Gregory Hull (Aug 26)
- r00t advisory -- sol2.5 su(1M) vunerability Gregory Hull (Aug 26)
- SGI Security Advisory 19960802-01 - Vulnerability in expreserve SGI Security Coordinator (Aug 26)
- Privileges (was libresolv+ bug) Paul McNabb (Aug 26)
- [BUG] Vulnerability in PINE Sean B. Hamor (Aug 26)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Guido M. Witmond (Aug 27)
- Re: Tired of /tmp? Here's a proposed solution Thomas Koenig (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution Sean B. Hamor (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution mdr () vodka sse att com (Aug 28)
- Rlogin vulnerabilty Gabriele Avosani (Aug 28)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Matthew J Brown (Aug 28)