Bugtraq mailing list archives

Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm]

From: jody () blueskytours com (Jody L. Baze)
Date: Thu, 5 Dec 1996 14:51:52 -0700


On Thu, 5 Dec 1996, Paul B. Henson wrote:

Platform: Solaris 2.4, 2.5, 2.5.1, other System V derived
          systems with the FACE package installed


I tried your example on three different Solaris 2.5 machines with varying
patch levels. On all of them, after setting up the environment as
specified, running the chkperm command resulted in an error message, and no
.rhosts file was created in /usr/bin.


I've tried this on several machines so far (also with varying patch levels)
and have noticed similar behaviour...

% /usr/vmsys/bin/chkperm -l -u foo
Error creating <gibberish characters>


It apparently tries to create that file in the parent directory. It *will*
create the file if you happen to be in, for example, /tmp/foo - it'll get
created in /tmp. The perm/owner/group is 0666:bin:bin.

Was anyone able to successfully reproduce this exploit?


Nope, at least not on my machines. Hmm...

JLB
--
Jody L. Baze                 Blue Sky Tours, Inc.
Software Development         10832 Prospect Avenue N.E.
System Administration        Albuquerque, NM  87112
jody () BlueSkyTours COM        (505) 292-6961

Current thread:

Re: sunos rlogin Roger Espel Llima (Dec 04)
- Re: sunos rlogin Casper Dik (Dec 05)
- NFS/mountd minor bug Alan Cox (Dec 05)
  - Re: NFS/mountd minor bug Brian Mitchell (Dec 05)
  - Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
    - Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
    - Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Jody L. Baze (Dec 05)
- Irix NFS fun Foowan (Dec 05)