Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

[pug () arlut utexas edu (Pug)]

Okay, I must be missing something.

> OPERATING SYSTEM(S):
>          Solaris 2.x (Sunos 5.x)

???? I'm on 2.4 HW 3/95 (plus a bunch of patches of course) and can't
find this hole. I'm looking to see if we still have a 2.3 machine
around.

> DESCRIPTION:
>          A race condition exists in /usr/bin/ps when ps opens a temporary
>          file when executed.  After opening the file, /usr/bin/ps chown's the
>          temporary file to root and the renames it to /tmp/ps_data.

Well, I can't seem to find the temp files, even while running the exploit.
(With a while (1) ls -l ps.* |& grep -v "No match" running.)

> WORKAROUND:
>          chmod +t /tmp

If this is the truth. That means all of us *not* running with tmpfs will
be affected. There is a bug in the code that the sticky bit works
correctly on tmpfs but not on ufs.

>      unlink ("/tmp/ps_data");

Uhh. On my system this won't work since /tmp/ps_data is 664. Or is this
a matter of trying to catch the program twice?

>         if (!strncmp (dp->d_name, "ps.", 3))
>            sprintf (name, "/tmp/%s", dp->d_name);

I can't find this tmp file. I've checked the sources and it clearly does
create I just haven't been able to catch it. I'll keep trying though.

Mostly I wanted to point out the bugs in ufs /tmp with sticky bit on.

Ciao,

--
Richard Bainter          Mundanely     |    System Analyst        - OMG/CSD
Pug                      Generally     |    Applied Research Labs - U.Texas
   pug () arlut utexas edu     |     pug () eden com     |     {any user}@pug.net
Note: The views may not reflect my employers, or even my own for that matter.