Bugtraq mailing list archives

Re: SunOS exploit.

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 20 May 1997 09:43:11 +0200

This worked on SunOS 5.5.1 Generic_103640-05 sun4m sparc.

Please mind you that this only works on versions of programs
that use getenv("USER"); to obtain the username, i'm also aware
anyone who uses elm on ANY system, linux, bsd, SunOS included
can read any users mail :P. getenv("USER") on programs that are
reliant on the USERNAME isn't safe especially when there +s'ed.



SunOS 5.x/Soalris 2.x doesn't come with chfn/chsh.  So if you have binaries
that produce this bug under SunOS 5.5.1, you have installed them yourself.

BTW, for proper operation chfn/chsh like programs need to be set-uid.

Casper

Current thread:

Re: SunOS exploit. Jeff Uphoff (May 19)
- Re: SunOS exploit. Trevor Linton (May 18)
  - /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Dixon Ly (May 19)
    - Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc 20's Fabrice Planchon (May 20)
    - Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Sparc Walter Hafner (May 21)
    - write(1) test (May 21)
    - Re: write(1) Jauder Ho (May 22)
    - Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Mike Scher (May 21)
    - Re: Fun with devices [was: Re: /dev/tcx0 crashes SunOS 4.1.4 on Doug Hughes (May 22)
  - Re: SunOS exploit. Casper Dik (May 20)
  - Re: SunOS exploit. & DigitalUnix Martin Mokrejs (May 20)
    - Re: SunOS exploit. & DigitalUnix Joe Zbiciak (May 20)