Solaris 2.x vunerability

[chasin () CRIMELAB COM (Scott Chasin)]

A major hold has been found on Solaris 2.x which will allow
anyone with a user account to gain root access.

I will be sending the exploit code to you in a few hours from now.

The bug exploits a common vunerability that can be fixed with
an easy workaround: chmod +t /tmp

My suggestion to you is that you check all machines running Solaris 2.x
to see if the /tmp directory has the sticky bit set.

GOOD:  drwxrwxrwt   3 root     root         877 Aug 14 12:43 /tmp
EVIL:  drwxrwxrwx   3 root     root         877 Aug 14 12:43 /tmp


If you have any questions at all, please Email me.

Scott Chasin
chasin () crimelab com