Re: SunOS exploit.

Casper Dik (casper@HOLLAND.SUN.COM)
Tue, 20 May 1997 09:43:11 +0200

>This worked on SunOS 5.5.1 Generic_103640-05 sun4m sparc.
>
>Please mind you that this only works on versions of programs
>that use getenv("USER"); to obtain the username, i'm also aware
>anyone who uses elm on ANY system, linux, bsd, SunOS included
>can read any users mail :P. getenv("USER") on programs that are
>reliant on the USERNAME isn't safe especially when there +s'ed.

SunOS 5.x/Soalris 2.x doesn't come with chfn/chsh. So if you have binaries
that produce this bug under SunOS 5.5.1, you have installed them yourself.

BTW, for proper operation chfn/chsh like programs need to be set-uid.

Casper