Re: Solaris patchadd(1) (3) symlink vulnerabilty

["Juan M. Courcoul" <courcoul () CAMPUS QRO ITESM MX>]

Paul Szabo wrote:
> Juergen P. Meier <jpm () class de> wrote:
>
> > Solaris /usr/sbin/patchadd is a /bin/ksh script.
> > The problem lies in the vulnerability of ksh.
>
> Damn: thus it would seem that not only sh, but also ksh is vulnerable!
>
> > However: Sun Microsystems does recommend to only install
> > patches at single-user mode (runlevel S). ...
> > ... if you follow the Vendors recommendations, you are
> > not vulnerable.
>
> The attacker can create the symlinks before you go single-user. As the
> original poster Jonathan Fortin <jfortin () REVELEX COM> said:
>
> > Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on

Unless you changed the way Solaris does things, my recommendation to shut the
machine down, start it up with 'boot -s' and then patch takes care of this.

By default Solaris maps /tmp onto the paging area (meaning there is no physical
/tmp partition), so everytime the machine restarts you get a sparking clean
/tmp, with no residues from its previous life. Volia ! No symlinks...

J. Courcoul