unix7.var-sadm.txt

`w00w00 Security Development (WSD)  
http://www.w00w00.org/advisories.html  
  
---------------------------------------------------------------------------  
Relocation of w00w00.org:  
After being relocated, http://www.w00w00.org is up and running. Although  
we are using an old backup of the site (off the mirror), we have added  
a new w00bio and w00giving (advisories) section. When we receive the  
newest backup of the site, we'll finish updating (notice all the new  
w00quotes!). You find our bio, articles, code/projects, and advisories  
on the site. Send us your input.  
  
Note on w00w00:  
At 30+ active members (in seven countries, three continents, and twelve  
US states), w00w00 has grown into the world's largest non-profit security  
team. Of course, we love our nearest competitors, Cult of the Dead Cow  
(CDC), at 22-23 members. [The largest for-profit security team that I am  
aware of is ISS's X-Force.]  
  
---------------------------------------------------------------------------  
Discovered by: ktwo ([email protected])  
  
When patches/fixes are applied to binaries on UnixWare 7, the original,  
unpatched binary files (with the suid/sgid bits maintained) are stored  
in /var/sadm. By default, the permissions on this directory is 755.  
This allows normal users to execute and exploit old binaries leftover  
from patching.  
  
---------------------------------------------------------------------------  
Patch:  
  
Run 'chmod o-rx /var/sadm' to remove read/execution privileges for normal  
users.  
---------------------------------------------------------------------------  
  
Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,  
interrupt, dmess0r, marc, kitekoa, and K2  
  
People who deserve hellos: nocarrier, minus, daveg, nny, dark  
spyrit (and beavuh), and blakew  
  
w00giving '99 advisories are being archived by  
kitekoa at:  
http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Fest/\  
w00giving99[1-3].htm.  
  
`