Re: Exploit for Linux wu.ftpd hole
Mike Edulla (medulla@infosoc.com)
Wed, 5 Jul 1995 18:06:10 -0400
On Wed, 5 Jul 1995, Henri Karrenbeld wrote:
> Date: Wed, 5 Jul 1995 18:44:17 +0100
> From: Henri Karrenbeld <H.Karrenbeld@ct.utwente.nl>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
> Subject: Exploit for Linux wu.ftpd hole
>
> Since Bugtraq is exceptionally quiet lately, I though I should make it
> come alive again with this discussion of the bug that was reported in
> the wu.ftpd that comes with some Slackware distributions of Linux.
> The report was just before Bugtraq went down for a long time, but
> I've found the bug still to be present on all the Linux machines that
> I have access to. So maybe it needs to be brought a little more in
> the open. Here we go:
>
> ObBug: - Short description of the bug
>
<snip>
Fortunately, this bug is mainly fixed by now (i would hope)...
minicom has a known, but not very well-known hole in it that is nearly
identical to the wu-ftp hole. If you are a legitimate user of a pre 1.71
version of minicom, you can get root, its the same sort of thing,
seteuid(0), and then make a suid root shell somewhere - you do it by
changing the name of 'runscript' to your shell...
It wouldnt really be much of a problem, except that linux to this day (i
believe) continues to have the users gonzo, satan, and snake in
minicom.users (or the slackware release does, at the very least).
---
There also apepars to be a bug in syslog. If you do something like:
grep -v "ROOT" messages > mmm; mv mmm messages
Logging is disabled, I suspect this problem is that the file pointer
maintained by syslog is getting ahead of the physical EOF, and thus
writes will fail, but this is just a guess, and I havent looked at the
source to linux's syslog.
---
But a more interesting topic than linux bugs would be helpful; ever since
the list went moderated, it seems to have gotten mighty quiet.