OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Solaris patchadd(1) (3) symlink vulnerabilty
From: Jonathan Fortin (JfortinREVELEX.COM)
Date: Thu Dec 21 2000 - 06:44:57 CST

Greetings,

It is not the shells fault in this case, it's the shellscript it's self that
is creating a faulty temp file, exampled pulled from the script,

tmp=$($GREP PATCHID $i), It's obvious that their completely retarded
whoever created patchadd.

The only solution to protect yourself would be mounting it with
nosymfollow if its available in solaris, since it's not in the version I
tryed, solaris 7, then we are kinda stuck with a bulky solution..

Sincerely,

Jonathan

-----Original Message-----
From: Paul Szabo
To: BUGTRAQSECURITYFOCUS.COM
Sent: 20/12/00 5:13 PM
Subject: Re: Solaris patchadd(1) (3) symlink vulnerabilty

Juergen P. Meier <jpmclass.de> wrote:

> Solaris /usr/sbin/patchadd is a /bin/ksh script.
> The problem lies in the vulnerability of ksh.

Damn: thus it would seem that not only sh, but also ksh is vulnerable!

> However: Sun Microsystems does recommend to only install
> patches at single-user mode (runlevel S). ...
> ... if you follow the Vendors recommendations, you are
> not vulnerable.

The attacker can create the symlinks before you go single-user. As the
original poster Jonathan Fortin <jfortinREVELEX.COM> said:

> Only solution is to rm -rf /tmp/* /tmp/.* [and] make sure no users are
on

Paul Szabo - pszmaths.usyd.edu.au
http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006
Australia