Home page logo

bugtraq logo Bugtraq mailing list archives

Re: pmpost - another nice symlink follower
From: Damian Menscher <menscher () uiuc edu>
Date: Wed, 20 Jun 2001 01:55:51 -0500 (CDT)

On Tue, 19 Jun 2001, Jan-Frode Myklebust wrote:
On Mon, Jun 18, 2001 at 07:11:20PM +0200, Paul Starzetz wrote:
there is a symlink handling problem in the pcp suite from SGI. The
binary pmpost will follow symlinks, if setuid root this leads to instant
root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
package, though).

It's probably a very rare package under linux, but
more common under IRIX. I just tested your exploit
against SGI's binary release of PCP 2.1 under IRIX
6.5.12m, and it worked just fine (after minor fixes).

Comparing notes with Jan-Frode indicated that SGI has released more than
one version of PCP 2.1.  Not all versions are vulnerable (PCP 2.1 under
6.5.6m was not).  One way to check if you're vulnerable is to do a:

        strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR

If this string appears, you're vulnerable.  If it doesn't, you're
probably not.  Of course, to be safe you could always do the chmod.

Damian Menscher
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher () uiuc edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]