OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: Re: finger-bombing, abuse timeout

Re: finger-bombing, abuse timeout

jsz (jszramon.bgu.ac.il)
Sat, 15 Oct 94 14:38:41 IST

> 
> > ObBug: The shell escape from 'crash' on SunOS... file descriptors are
> > left open to /dev/kmem and /dev/mem, among other things.
> > 
> >  % crash
> >  dumpfile = /dev/mem, ....
> >  > !/bin/sh
> >  % strings <&9 >/tmp/out &
> >  % id
> >   ....  egid=2(kmem)  ....
> > 
> > Ooops.  I understated the problem.
> 
> Yeh.  Regarding fixes, I checked - the shell script available from Sun
> as a patch to fix the FCS permissions does fix the permissions on crash
> so only root can run it.   I checked my machine, and it was not world
> executable (or anything).  I had run that fixit script some time ago.
> It is DEFINITELY a good thing to run, and then you can follow up and
> fix stuff like newsyslog (which it doesn't fix).  The thing is designed
> so one can add any files to a list built in, with fields for perms,
> type, owner, group, the whole thing.  In fact, I have been playing
> catch-up and any file I alter the perms on to lock things down, I add
> to the thing, so on a new install, I only need to run it.   There is a
> BUNCH of stuff owned by bin (/etc, /dev, most of the system subdirs) that
> are changed to root by the script - a must do on a box that exports stuff
> via NFS.
> 


Same problem (with both crash(1) and improperly set permissions) exists in
Solaris 1.1.1 through 5.4, but weirdly 100103-12 patch (script to change file
permissions to a more secure mode) seems to be integrated into 4.1.3_U1
(Solaris 1.1.1), and is NOT listed in a list of "security patches" that
I have obtained from sunsolve a week ago. I found a rather cute script
to change file permissions for Solaris 2.2 & 2.3 by Casper Dik, ftpable
from ftp.fwi.uva.nl:/pub/solaris, I think it can be used for Solaris 2.4 
as well, since the permissions are not fixed in 2.4 release either.

Regards

---