[23362] in bugtraq
Re: UUCP
daemon@ATHENA.MIT.EDU (Casper Dik)
Sun Dec 2 19:10:48 2001
Message-Id: <200112011804.TAA12405@romulus.Holland.Sun.COM>
To: sirsyko@ishiboo.com
Cc: Bob Howard <reh@umich.edu>, Izik <izik@tty64.org>,
vuln-dev@security-focus.com, bugtraq@securityfocus.com
In-reply-to: Your message of "Fri, 30 Nov 2001 15:17:27 PST."
<20011130151727.A13019@skoda.sockpuppet.org>
Date: Sat, 01 Dec 2001 19:04:40 +0100
From: Casper Dik <Casper.Dik@Sun.COM>
>> Don't know about BSDi, but on Solaris uucp owns tip, uuencode, uudecode,
>> and others. So if I can use this vuln to su uucp, I can trojan e.g.
>> tip. Then the next time root runs what he thinks is tip, I've got the
>> box.
>
>on solaris:
>
>$ grep uucp /etc/inetd.conf
>uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
I think you'll find that in Solaris 8 and later, only those
executables that are set-uid uucp have retained uucp ownership.
(Tip, of course, is still often executed by root in some settings)
(Oh, and we're discussing a buffer overflow in uucp on BSDi, so
Solaris may not be a target for this problem)
Casper
