Security Info (root broken)

Pat Myrto (rwing!pat@ole.cdac.com)
Wed, 28 Sep 94 6:12:09 PDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: jim@Tadpole.COM: "IBM AIX rlogin fix"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Perry E. Metzger: "Re: Security Info (root broken)"

I need some answers, badly.

The OS was SunOS 4.1.3_U1B.  The machine was a 4/470.

A site I was helping on was broken in and maliciously destroyed the
other day (rendered un-login-able), apparantly via a hole I am unaware
of (thanks for nothing, security thru obscurity folks - the crackers DO
have information that is denied us 'ordinary' folks).  This was a new
install, and it lasted about 4 days.   One person heard thru the cracker
grapvine that root was broken thru /bin/mail.  HOW?!  The permissions-
fixing script from Sun had been run, plus things like arp, chill and
rdist were made unavailable to users (chmod o-rx).  Rdist was replaced
by the fixed version and made unavailable for use to users (chmod o-rx).
The original passwd command was made mode 400, as well as yppasswd, and
a replacement passwd command was installed that didn't have the -F
option, or the chfn or chsh options.  The C2conv script had also been
run.  Sendmail was replaced by the newest version with all the fixes,
and bind 4.9.2 replaced the original nameserver, as well as its resolver
library.  All programs replaced were renamed and made mode 400, owner
root.  Newsyslog was also chown'd to root, and the chmod 666 $LOG was
changed to 644.  /etc/utmp was also changed to mode 644.  Without better
info, all the above work was a total waste of time.

Can someone out there please infomrm me how these cracker types are getting
root privs, and how one can stop it short of disconnecting the machine?
And most important, how one can test for these vulnerabilities, and FIX
them.  Is there a hole in /bin/mail?  How does one test for it (I am working
on a port of net-2s /bin/mail replacement).  Also, how can one prevent
anyone from being able to forge mail via the -f option?

One cannot run like this, defenseless against malicious people getting
their kicks ripping the machine apart at will.  The site involved is to
be a dialup public-access site, so isolating it is not an option (and
if people must disconnect from the world to stay whole, what use is the
machine)? Please help!  I need GOOD information - not "X is broken -
fix it" without info as to WHY its broken and HOW it is fixed and
VERIFYING it is fixed.  The insight so obtained will also be of use in
checking for other holes.

Thanks - I will summarize.
-- 
pat@rwing  [If all fails, try:  rwing!pat@eskimo.com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Next message: jim@Tadpole.COM: "IBM AIX rlogin fix"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Perry E. Metzger: "Re: Security Info (root broken)"