Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: HP UX Bug :)
From: brian () FIREHOUSE NET (Brian Mitchell)
Date: Tue, 2 Sep 1997 03:29:03 -0400


On Mon, 1 Sep 1997, Leonid S Knyshov wrote:

However, it wipes out the target file. A symlink to /etc/passwd comes to
mind.

the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.


But, since it follows the umask, it might be possible to replace binaries
executed by system...

See above.


In any event, a very dangerous condition...

Indeed. .forward/.rhosts is the most obvious attack.


I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.

It's kinda lame, but:

remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,
ruid=you).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault