[639] in linux-security and linux-alert archive
[linux-security] Problem with sliplogin on Linux
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Thu Mar 21 13:41:50 1996
To: linux-alert@tarsier.cv.nrao.edu
cc: linux-security@tarsier.cv.nrao.edu, bugtraq@crimelab.com
Date: Wed, 20 Mar 1996 19:58:05 +0100
From: Olaf Kirch <okir@monad.swb.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
When installed to provide users with SLIP accounts on your system,
sliplogin can be abused to execute commands under the root uid.
This hole does *not* seem to be expoitable when you don't have any SLIP
users configured in your /etc/passwd.
I'm not going to give away the details of the exploit yet; watch for a
follow-up posting to linux-security within a week or two.
Anyone providing SLIP logins using this program should upgrade to the
latest version from sunsite.unc.edu:
ftp://sunsite.unc.edu/pub/linux/system/Network/serial/sliplogin-2.0.2.tar.gz
md5sum: 1634ab3f8d0ce130e59476ede9662ee5 sliplogin-2.0.2.tar.gz
Cheers
Olaf
PS: you may have to adapt your login/logout scripts because the
argument list has been changed throughout several releases.
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMVBVMeFnVHXv40etAQEnpQQAgdiPpmGgrGVDx0zuGSjObCEcn6+EMMSu
liVU/Ct4XCZegSHD3nmE0naspSSqAenjjisVrySr2UJFZBbYIoHKc9/z5ATikeyE
nmk+bWQ4H57iCninlBhgk+BRgqd8++GlNjPnLgjSrvNWDc75ESzxhXAYJ1nyMRdM
UHunzxZ80SA=
=YYZI
-----END PGP SIGNATURE-----
