Bugtraq mailing list archives
flaw in dmesg under Solaris
From: echo8 () HOBBITON ORG (echo8)
Date: Tue, 9 Nov 1999 13:22:01 -0600
Under all versions of Solaris prior to 2.7, and under 2.7 prior to patch 106541-07, /usr/sbin/dmesg, when called with the "-" argument, creates /var/adm/msgbuf owned and writeable by the user who ran the utility, assuming that the file didn't already exist (it won't until someone runs dmesg -). Once the file exists, "dmesg -" will not work properly for any other user, and the file remains, onwed by the user who called the utility. Under Solaris 2.7, patch 106541-07 addresses the problem by replacing /usr/sbin/dmesg with a shell script which breaks the functionality of the "-" argument entirely. Obviously, Sun is aware of the problem, but I spoke to them on 9/21/99 to open a service order and get a bugid assigned. I've heard nothing since then.
Current thread:
- vwxploit.c unix port, (continued)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)