[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Solaris 2.5 x86 aspppd (semi-exploitable-hole)
From:       Thamer Al-Herbish <shadows () whitefang ! com>
Date:       1996-12-20 20:53:56
[Download RAW message or body]

Although initialy when I first saw this hole I thought "noone is realy
vunerable", but after seeing how badly aspppd handled my modem line
getting dropped (Solaris doesnt down the interface, so you have to either
restart aspppd, or do it manualy), I figured some people running scripts
that restart aspppd might be.

Its relatively simple, in /tmp/ lies .asppp.fifo which is world r/w if
aspppd isnt running you simply ln -s /.rhosts /tmp/.asppp.fifo, when root
executes aspppd, /.rhosts is opened r/w as a fifo, the second aspppd dies
/.rhosts becomes a normal file world r/w.

aspppd isnt setuid, so it must be run by root and later killed for any of
this to work. Not likely, but if your like me and have a small  script to
keep up your link, (not anymore) your probably vunerable.

------------------------------------------------------------------------------
Thamer Al-Herbish (ShadowS)     The views expressed here, have no relevance
shadows@whitefang.com           to those of my employer. And may not have
shadows@kuwait.net              any relevance to subject at hand.
                -=whitefang dawt kawm=-
-------------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]