Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris patchadd(1) (3) symlink vulnerabilty

From: "Juergen P. Meier" <jpm () class de>
Date: Thu, 21 Dec 2000 12:09:31 +0100
On Thu, Dec 21, 2000 at 09:13:29AM +1100, Paul Szabo wrote:

Juergen P. Meier <jpm () class de> wrote:


Solaris /usr/sbin/patchadd is a /bin/ksh script.
The problem lies in the vulnerability of ksh.


Damn: thus it would seem that not only sh, but also ksh is vulnerable!


seems so :(


However: Sun Microsystems does recommend to only install
patches at single-user mode (runlevel S). ...
... if you follow the Vendors recommendations, you are
not vulnerable.


The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortin () REVELEX COM> said:


Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on


Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia


I do indeed stand corrected: The only 2 sollutions are:
1) change to single user mode by means of init S
   and rm -rf /tmp/* /tmp/.*
2) shutdown and boot -s into single user mode.

you should do this at least once (when sun releases the shell-patches ;)

have a nice day,

Juergen

--
Juergen P. Meier                        email: jpm () class de
Previous By Date Next
Previous By Thread Next

Current thread: