OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: Paul Szabo (pszMATHS.USYD.EDU.AU)
Date: Wed Dec 20 2000 - 16:13:29 CST

Juergen P. Meier <jpmclass.de> wrote:

> Solaris /usr/sbin/patchadd is a /bin/ksh script.
> The problem lies in the vulnerability of ksh.

Damn: thus it would seem that not only sh, but also ksh is vulnerable!

> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). ...
> ... if you follow the Vendors recommendations, you are
> not vulnerable.

The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortinREVELEX.COM> said:

> Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are on

Paul Szabo - pszmaths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia