mailing list archives
Re: /usr/sbin/audlinks vulnerability
From: Konrad Rieck <kr () R0Q CX>
Date: Fri, 5 Jan 2001 19:41:21 +0100
On Thu, Dec 28, 2000 at 02:34:50PM -0800, "Optyx - Uberhax0r Communications"@SECURITYFOCUS.COM wrote:
/usr/sbin/audlinks has the following behavior:
$ mkdir -p /tmp/b/dev
$ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
$ su root
# /usr/sbin/audlinks -r /tmp/b
# ls -l /.rhosts
-rw-r--r-- 1 root other 4 Dec 28 14:28 /.rhosts
As far as I know audlinks is deprecated for at least Solaris 8.
Devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the
previous suite of devfs administration tools including audlinks(1M).
Casper Dik already mentioned that the generated /.rhosts file would
be useless if you plan to gain root privilegdes using rsh/rlogin.
But I'd like to add that I can't see a real vulnerability in the above
scenario. audlinks is used to add the audio symlinks and the sound
directory to the devices of a system (/dev), why the hell should an
administrator create these files in a directory owned by user in /tmp.
I can only imagine that an administrator mounts another root filesystem
and creates audlinks manuals, e.g.
/usr/sbin/mount /dev/dsk/c0t0d0s0 /a
/usr/sbin/audlinks -r /a
But in this case /a wouldn't be worldwritable. I can't see any problem
with audlinks. Sorry.
Konrad Rieck <kr () r0q cx> Roqefellaz - http://www.r0q.cx
Fingerprint: 3AA8 CF92 C179 9760 C3B3 1B43 33B6 9221 AFBF 5897
-- GPG Public Key http://www.r0q.cx/keys/kr.pub