Bugtraq mailing list archives
admintool (was Re: Zolaris 2.5 Exploited.)
From: anthony.baxter () aaii oz au (anthony baxter)
Date: Fri, 26 Jul 1996 15:10:25 +1000
Fwiw, I believe "admintool" in Solaris-2.5 has exactly the same problem. /tmp/.group.lock for instance is created 666, no security checks...
Just go to the "Groups" menu, and you'll have a nice and clean /.rhosts file to play with... :(
Hell, even easier, /tmp/.pwd.lock - you don't even need to select 'groups'. :) or /tmp/.hosts.lock, and select 'hosts'. cat 'clue' | admintool_author () sun com chmod ug-s /usr/bin/admintool (it's the only way to be sure) truss/strace/sctrace/equivalent on applications such as these can be quite enlightening (if nothing else, look for 'open()' calls. Anthony
Current thread:
- Re: Zolaris 2.5 Exploited. Leif Hedstrom (Jul 25)
- admintool (was Re: Zolaris 2.5 Exploited.) anthony baxter (Jul 25)
- <Possible follow-ups>
- Zolaris 2.5 Exploited. Jungseok Roh (Jul 26)
- Re: Zolaris 2.5 Exploited. Brian T. Wightman (Jul 25)
- Re: Zolaris 2.5 Exploited. Jungseok Roh (Jul 26)
- Re: Zolaris 2.5 Exploited. Brian T. Wightman (Jul 25)
- Re: Zolaris 2.5 Exploited. Eugene Bradley (Jul 26)
- Re: Zolaris 2.5 Exploited. Matthew G. Harrigan (Jul 26)
- Re: Zolaris 2.5 Exploited. Steph Bridges (Jul 26)
- Re: Zolaris 2.5 Exploited. Jeff Wolfe (Jul 26)