Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: HP UX Bug :)

Re: HP UX Bug :)

From: Brian Mitchell <brian_at_FIREHOUSE.NET>
Date: Tue, 2 Sep 1997 03:29:03 -0400

On Mon, 1 Sep 1997, Leonid S Knyshov wrote:

> However, it wipes out the target file. A symlink to /etc/passwd comes to
> mind.

the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.

>
> But, since it follows the umask, it might be possible to replace binaries
> executed by system...

See above.

>
> In any event, a very dangerous condition...

Indeed. .forward/.rhosts is the most obvious attack.

>
> I do not have the access to source code, so I can't think of a patch.
> Probably replace getenv with getuid or something like that.

It's kinda lame, but:

remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,
ruid=you).
Received on Sep 03 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]