Bugtraq mailing list archives
potential root exploit with help from sam (HP-UX 10.x)
From: nhyamd () ASCOM CH (David Hyams)
Date: Wed, 14 May 1997 13:52:34 +0200
While looking in the /var/tmp directory I noticed a file called "outdata". After some experiments, I discovered that this file is written to by sam when the user selects "Networking and Communication" followed by "Internet Addresses" or "Network Information Service" (and probably others too). So, if I make a symbolic link from /var/tmp/outdata to /.rhosts (say), and wait for the sys-admin to run sam to configure networking, I can get a /.rhosts file. Admittedly this isn't too interesting as the file doesn't have the famous "+ +" in it. However, if your sysadmin happens to have umask set to 0 then you've now got a world writable /.rhosts file. (This isn't as unusual as it sounds, try an rlogin to a remote host running HP-UX and check your umask. Chances are it's 00). No doubt other bugtraq readers can turn this into a more serious root exploit - maybe it's possible to get sam to put a "+ +" in /.rhosts . Or maybe someone can think of some other symbolic links to try. David Hyams
Current thread:
- Re: Linux UID/GID 'Feature', (continued)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)
- more DoS fun Ghent (May 11)
- Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
- sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
- Re: ELM overflow security () home bti pl (May 14)
- Re: ELM overflow Michel GAUDET (May 16)
- potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
- Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
- Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
- Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
- NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
- MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)