Bugtraq mailing list archives

Re: HP UX Bug :)

From: brian () FIREHOUSE NET (Brian Mitchell)
Date: Tue, 2 Sep 1997 03:29:03 -0400


On Mon, 1 Sep 1997, Leonid S Knyshov wrote:

However, it wipes out the target file. A symlink to /etc/passwd comes to
mind.


the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.


But, since it follows the umask, it might be possible to replace binaries
executed by system...


See above.


In any event, a very dangerous condition...


Indeed. .forward/.rhosts is the most obvious attack.


I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.


It's kinda lame, but:

remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,
ruid=you).

Current thread:

Pine's re-occuring nightmare jericho () DIMENSIONAL COM (Sep 01)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
  - Re: HP UX Bug :) Brian Mitchell (Sep 02)
  - in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
  - You can find jizz.c here T o r g (Sep 03)
  - You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
  - [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
    - Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
    - [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
    - Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)

(Thread continues...)