Subject: [w00giving '99 #3 and w00news] UnixWare 7's /var/sadm

w00w00 Security Development (WSD)
http://www.w00w00.org/advisories.html

---------------------------------------------------------------------------
Relocation of w00w00.org

After being relocated, http://www.w00w00.org is up and running.  Although
we are using an old backup of the site (off the mirror), we have added
a new w00bio and w00giving (advisories) section.  When we receive the
newest backup of the site, we'll finish updating (notice all the new
w00quotes!).  You find our bio, articles, code/projects, and advisories
on the site.  Thanks

Note on w00w00

At 30+ active members (in seven countries, three continents, and twelve
US states), w00w00 has grown into the world's largest non-profit security
team.  Of course, we love our nearest competitors, Cult of the Dead Cow
(CDC), at 22-23 members.  [The largest for-profit security team that I
(the author) am aware of is ISS's X-Force.]

---------------------------------------------------------------------------
Discovered by: ktwo (ktwo@ktwo.ca)

When you apply patches to binaries (i.e., for bug fixes), the original,
unpatched binary files (with the suid/sgid bits maintained) are stored 
in /var/sadm.  By default, the permissions on this directory is 755.  
This allows normal users to execute and exploit old binaries leftover
from patching.

---------------------------------------------------------------------------
Patch:

Run 'chmod o-x /var/sadm' to remove execution privileges for normal
users.
---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,
interrupt, dmess0r, marc, kitekoa, and K2

People who deserve hellos: nocarrier, minus, daveg, nny, dark 
spyrit (and beavuh), and w00god blake

w00giving and Octoberfest advisories are being archived by
kitekoa at:
http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Fest/\
w00giving99[1-3].htm.
