|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Richard Johnson (thief
snosoft.com)Date: Tue May 22 2001 - 13:21:00 CDT
======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-10)
Topic: scoadmin /tmp issues
Vendor: Santa Cruz Operations
Release Date: 05/07/01
======================================================================
.: Description
scoadmin makes poor use of /tmp. File names are very predictable
.: Impact
As a user: ln -s /etc/passwd /tmp/tclerror.1195.log
Wait for root to run scoadmin from xwindows and viola!
When he does, he will clobber /etc/passwd with a garbage file.
In order to get the /tmp/tclerror.pid.log you need for root to have an
improper term or cause some other error to happen.
A good way to force an error is to stop xm_vtcld from opening...
kindly leave a file where it wants its socket and it will complain.
As a normal user: touch /tmp/5111_342.0
When root goes to run sco admin he will get an error and clobber his
passwd file due to the ln -s on the tclerror.PID.log you left for him.
.: Workaround
Don't use scoadmin.
.: Systems Affected
Unixware 5.x
.: Proof of Concept
ln -s /etc/passwd /tmp/tclerror.1195.log
.: Vendor Status
A copy of this advisory was mailed to their attention
.: Credit
Kevin Finisterre
dotslashsnosoft.com
.: DISCLAIMER
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | reconsnosoft.com
http://recon.snosoft.com | http://www.snosoft.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]