Re: Security Info (root broken)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Michael Neuman: "Old sendmail bugs"
• Previous message: Pug: "Re: Security Info (root broken)"
• In reply to: Pug: "Re: Security Info (root broken)"
• Next in thread: Christopher Klaus: "Re: Security Info (root broken)"

> 
[../bin/mail write to file as uid 0 bug...]

> As I remember the race condition, you don't have a problem if you don't
> allow the 'r' commands into your system. The race condition created a
> .rhosts file for accounts that had UID 0, but no existing .rhosts file.
> I can't find my copy of the exploit anymore to be certain. As well, you
> had to start on the system, so it wasn't that much of an external job
> anyway.

Thats what the exploit script did.  That doesnt mean that is all you
are limited to.  You could just as easily write a .forward file
that has "|/tmp/prog" which then runs a program whenever the account
is mailed to.  You can also write to .login or .cshrc files that
dont exist (hmm..  remember those "delete any file on the filesystem
bugs?").  There are probably other files that are worth writing to
that may not exist.  The mail hole shouldnt be left around just
because you arent running r commands.

> Richard Bainter          Mundanely     |    System Analyst        - OMG/CSD
> Pug                      Generally     |    Applied Research Labs - U.Texas
>           pug@arlut.utexas.edu         |    pug@bga.com
> Note: The views may not reflect my employers, or even my own for that matter.

• Next message: Michael Neuman: "Old sendmail bugs"
• Previous message: Pug: "Re: Security Info (root broken)"
• In reply to: Pug: "Re: Security Info (root broken)"
• Next in thread: Christopher Klaus: "Re: Security Info (root broken)"