[25244] in bugtraq

home help back first fref pref prev next nref lref last post

more info on the iosmash.c exploit

daemon@ATHENA.MIT.EDU (John Scimone)
Wed Apr 24 21:57:50 2002

Content-Type: text/plain;
  charset="iso-8859-1"
From: John Scimone <jscimone@cc.gatech.edu>
Date: Tue, 23 Apr 2002 20:23:43 +0000
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com, recon@snosoft.com
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200204232023.43849.jscimone@cc.gatech.edu>

phased had some comments he wanted me to forward on to the lists in
regards to his latest exploit.

He says that skeys are used via all authentication methods... i.e telnet, so 
someone could change the user to someone in the wheel group.  Haven't used 
skeys via ssh yet but I presume it works.  Root obviously can't just telnet 
in by default but usually can ssh, but if the box being exploited contains 
people in the wheel group you can change the root user in the exploit to any 
user to log in via skeys as that user.

-sert-

That file you've been guarding, isn't.
-------------------------------------------------------------------
      ______________________________
     /   _____/\______   \__    ___/   | Secure Network Operations
     \_____  \  |       _/ |    |      | http://www.snosoft.com
     /        \ |    |   \ |    |      | recon@snosoft.com
    /_______  / |____|_  / |____|      |
            \/         \/              | Project Cerebrum
    Strategic  Reconnaissance Team     | cerebrum@snosoft.com

---------- Forwarded message ----------
Date: Wed, 24 Apr 2002 03:33:15 +0400
From: James Green <phased@mail.ru>
To: recon@snosoft.com
Subject: the iosmash.c exploit


in the comments i used su to gain root, someone needs to post to bugtraq
that skeys is used via all auth methods, i.e. telnet so you could change
the user to someone in wheel, havent used skeys via ssh but i presume it
 works. root isnt allowed to telnet default but usually can ssh, but if the
 box has people in the wheel group you can change the root to any user in the
 exploit to log in via skeys as that user.  btw dont forward this post can i
 had some beers tonight heh :) put it in better english lol

phased
phased@snosoft.com

-------------------------------------------------------
home help back first fref pref prev next nref lref last post