Bugtraq mailing list archives
Re: regarding the (ex)preserve holes
From: wam () cs purdue edu (William McVey)
Date: Fri, 16 Dec 1994 15:00:20 -0500
Matthew Harding wrote:
How does one go about determining the dangerousness of the (ex)preserve holes? I notice on my SunOS 4.1.x systems that both expreserve and exrecover are suid root, but I assume that the latest versions of either the editors or the OS ignore this when playing with the IFS variables. Please tell me this is a correct assumption! I'm not sure if our friends at 8lgm etc. have a script for this, but I'm curious as to the ongoing danger of these holes.
I know that the unpatched Sun 4.1.? version of expreserve also suffered from a race condition where you could trick it into writing it's tempfile onto a symlink to a root owned file. The patch number is 101579-01 (It's on the Solaris 1.1.1 Recommended Patches list.) Some of the free UNIX OSs (FreeBSD and NetBSD) as recently as like a year ago still had a setuid expreserve that called system(3) to send notification mail. (They have since switched to nvi, which has a far superior method of handling editor preserves). -- William McVey Instructional Labs Administrator Purdue Universtiy CS Dept.
Current thread:
- regarding the (ex)preserve holes Matthew Harding (Dec 16)
- <Possible follow-ups>
- Re: regarding the (ex)preserve holes William McVey (Dec 16)
- Re: regarding the (ex)preserve holes Timothy Newsham (Dec 17)