Re: /usr/sbin/audlinks vulnerability

[Konrad Rieck <kr () R0Q CX>]

On Thu, Dec 28, 2000 at 02:34:50PM -0800, "Optyx - Uberhax0r Communications"@SECURITYFOCUS.COM wrote:

> /usr/sbin/audlinks has the following behavior:
> $ id
> uid=100(optyx) gid=1(other)
> $ mkdir -p /tmp/b/dev
> $ ln -s /.rhosts /tmp/b/dev/.devfsadm_dev.lock
> $ su root
> Password:
> # /usr/sbin/audlinks -r /tmp/b
> # ls -l /.rhosts
> -rw-r--r--   1 root     other          4 Dec 28 14:28 /.rhosts

As far as I know audlinks is deprecated for at least Solaris 8.
Devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the
previous suite of devfs administration tools including audlinks(1M).

Casper Dik already mentioned that the generated /.rhosts file would
be useless if you plan to gain root privilegdes using rsh/rlogin.

But I'd like to add that I can't see a real vulnerability in the above
scenario. audlinks is used to add the audio symlinks and the sound
directory to the devices of a system (/dev), why the hell should an
administrator create these files in a directory owned by user in /tmp.

I can only imagine that an administrator mounts another root filesystem
and creates audlinks manuals, e.g.

    /usr/sbin/mount /dev/dsk/c0t0d0s0 /a
    /usr/sbin/audlinks -r /a

But in this case /a wouldn't be worldwritable. I can't see any problem
with audlinks. Sorry.

Regards,
Konrad

--
Konrad Rieck <kr () r0q cx>         Roqefellaz - http://www.r0q.cx
Fingerprint: 3AA8 CF92 C179 9760 C3B3  1B43 33B6 9221 AFBF 5897
--                 GPG Public Key http://www.r0q.cx/keys/kr.pub