Re: pt_chmod

belalsco.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: an83851anon.penet.fi: "[8lgm]-Advisory-79.UNIX.command.10-Feb-1995"
• Previous message: Neil Woods: "binmail tmpfile script"
• Maybe in reply to: carsonlehman.com: "pt_chmod"
• Next in thread: Karl Strickland: "Re: pt_chmod"

Carson Gaspar wrote:

> Does anyone know what the pt_chmod hole is?  The same suid program exists in
> Solaris 2.x, and knowing Sun's track record...

By my testing, exactly the same bug exists on Solaris 2.3/SPARC;
however, it does not cause a security hole there.  The security hole is
caused by how the SCO execution environment treats NULL dereferences.
The same bug probably exists in the pt_chmod source on most System V
systems; whether it causes a security problem depends on how the OS
treats NULL dereferences.

Full disclosure has been sent to CERT for dissemination to other OS
vendors.  I am not in a position to publically disclose full details at
this time; I also think that to do so would be rude to other OS vendors
who have not had a chance to issue their own fixes.

Your pt_chmod is safe if it coredumps when run as `pt_chmod <
/etc/termcap`.  If not, it might or might not be safe.  Ask your OS
vendor, "trace" or "truss".

I'm sorry that I can't say more.  

>Bela<

• Next message: an83851anon.penet.fi: "[8lgm]-Advisory-79.UNIX.command.10-Feb-1995"
• Previous message: Neil Woods: "binmail tmpfile script"
• Maybe in reply to: carsonlehman.com: "pt_chmod"
• Next in thread: Karl Strickland: "Re: pt_chmod"