Excerpt: > Impact: An attacker can gain root priviledge by forcing the 'lsadmin' > binary to execute code of attackers choice. The 'lsadmin' binary > is setuid root. > > > Description: > > The 'lsadmin' binary has a "ckconfig" command. It uses it to check the > correctness of config files. Right after it starts, it is using the > external 'lim' binary . It is using the LSF_SERVERDIR variable in lsf.conf > file to obtain a path for 'lim' binary. Regular user can make his own > lsf.conf file and, by using the LSF_ENVDIR variable, force 'lsadmin' to > use it instead of default /etc/lsf.conf file. Attacker can therefore point > the LSF_SERVERDIR variable to his own 'lim' binary. The attackers 'lim' > binary will be executed with setuid root priviledges. > > URL: http://www.securityfocus.com/archive/1/322242/2003-05-19/2003-05-25/0 Regards, Chris -- Chris Dagdigian, <dag@sonsorol.org> BioTeam Inc. - Independent Bio-IT & Informatics consulting Office: 617-666-6454, Mobile: 617-877-5498, Fax: 425-699-0193 PGP KeyID: 83D4310E Yahoo IM: craffi Web: http://bioteam.net