Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1996_4

Bugtraq archives for 4th quarter (Oct-Dec) 1996: Solaris 2.5 x86 aspppd (semi-exploitable-hole)

Solaris 2.5 x86 aspppd (semi-exploitable-hole)

Thamer Al-Herbish (shadowswhitefang.com)
Fri, 20 Dec 1996 20:53:56 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thamer Al-Herbish: "CERT, CIAC, etc. and unethical practices"
Previous message: Gilles Soulet: "TCP bug on old Solaris box ?"

Although initialy when I first saw this hole I thought "noone is realy
vunerable", but after seeing how badly aspppd handled my modem line
getting dropped (Solaris doesnt down the interface, so you have to either
restart aspppd, or do it manualy), I figured some people running scripts
that restart aspppd might be.

Its relatively simple, in /tmp/ lies .asppp.fifo which is world r/w if
aspppd isnt running you simply ln -s /.rhosts /tmp/.asppp.fifo, when root
executes aspppd, /.rhosts is opened r/w as a fifo, the second aspppd dies
/.rhosts becomes a normal file world r/w.

aspppd isnt setuid, so it must be run by root and later killed for any of
this to work. Not likely, but if your like me and have a small  script to
keep up your link, (not anymore) your probably vunerable.

------------------------------------------------------------------------------
Thamer Al-Herbish (ShadowS)     The views expressed here, have no relevance
shadowswhitefang.com           to those of my employer. And may not have
shadowskuwait.net              any relevance to subject at hand.
                -=whitefang dawt kawm=-
-------------------------------------------------------------------------------

Next message: Thamer Al-Herbish: "CERT, CIAC, etc. and unethical practices"
Previous message: Gilles Soulet: "TCP bug on old Solaris box ?"