[18716] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (Wietse Venema)
Mon Jan 22 17:07:22 2001
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-ID: <20010119180245.77160BC0C7@spike.porcupine.org>
Date: Fri, 19 Jan 2001 13:02:45 -0500
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010119105045.E21841@alcove.wittsend.com> "from Michael H.
Warfield at Jan 19, 2001 10:50:45 am"
On Thu, Jan 18, 2001 at 11:57:12PM +0100, Konrad Rieck wrote:
> cu is only set setuid for the owner uucp and an attacker won't gain any
> special privileges, but he would gain access to the files in /etc/uucp.
Michael H. Warfield:
> Correction... He does gain special privileges. He gains access
> to all the uucp control files which can contain account names and passwords
> on other systems. It ain't root, but it's more than what he should have.
It is worse than that. Once UUCP privilege is gained you can replace
the UUCP executables. That gives you full control over any user that
happens to execute those UUCP executables - a root-owned cron job,
a sendmail.cf mailer rule that executes as daemon, and so on.
Wietse
