Re: admintool (was Re: Zolaris 2.5 Exploited.)

[leif () netscape com (Leif Hedstrom)]

> anthony baxter writes:
> > Just go to the "Groups" menu, and you'll have a nice and clean /.rhosts
> > file to play with... :(
>
> Hell, even easier, /tmp/.pwd.lock - you don't even need to select 'groups'. :)

Yup...

I've also been informed (thanks Donald Carvalho!) that vold on
Solaris-2.5 is also broken. It creates /tmp/.removable/cdrom0 (for
instance) with 666 and no security checks. I've verified this, works
"fine"...:-(

I believe the "vold" hole requires you to have physical access to the
machine, to insert a cdrom into the caddy. Bad anyway...

Summary: These 2.5 applications are completely broken

        kcms_calibrate
        kcms_configure
        admintool

and to some extent

        vold

The kcms_* binaries are part of the KCMS Runtime environment,
SUNWkcsrt. If you don't have this package installed, your are in better
shape. `admintool' is in the package named SUNWadmap.

-- Leif