Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: /usr/sbin/audlinks vulnerability
From: Konrad Rieck <kr () R0Q CX>
Date: Fri, 5 Jan 2001 19:41:21 +0100

On Thu, Dec 28, 2000 at 02:34:50PM -0800, "Optyx - Uberhax0r Communications"@SECURITYFOCUS.COM wrote:

/usr/sbin/audlinks has the following behavior:
$ id
uid=100(optyx) gid=1(other)
$ mkdir -p /tmp/b/dev
$ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
$ su root
Password:
# /usr/sbin/audlinks -r /tmp/b
# ls -l /.rhosts
-rw-r--r--   1 root     other          4 Dec 28 14:28 /.rhosts

As far as I know audlinks is deprecated for at least Solaris 8.
Devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the
previous suite of devfs administration tools including audlinks(1M).

Casper Dik already mentioned that the generated /.rhosts file would
be useless if you plan to gain root privilegdes using rsh/rlogin.

But I'd like to add that I can't see a real vulnerability in the above
scenario. audlinks is used to add the audio symlinks and the sound
directory to the devices of a system (/dev), why the hell should an
administrator create these files in a directory owned by user in /tmp.

I can only imagine that an administrator mounts another root filesystem
and creates audlinks manuals, e.g.

    /usr/sbin/mount /dev/dsk/c0t0d0s0 /a
    /usr/sbin/audlinks -r /a

But in this case /a wouldn't be worldwritable. I can't see any problem
with audlinks. Sorry.

Regards,
Konrad

--
Konrad Rieck <kr () r0q cx>         Roqefellaz - http://www.r0q.cx
Fingerprint: 3AA8 CF92 C179 9760 C3B3  1B43 33B6 9221 AFBF 5897
--                 GPG Public Key http://www.r0q.cx/keys/kr.pub


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault