[9974] in bugtraq
X11R6 NetBSD Security Problem
daemon@ATHENA.MIT.EDU (in.telnetd)
Thu Mar 25 23:10:19 1999
Date: Sun, 21 Mar 1999 21:34:48 -0800
Reply-To: "in.telnetd" <telnetd@DOEMILL.SHOCKING.COM>
From: "in.telnetd" <telnetd@DOEMILL.SHOCKING.COM>
To: BUGTRAQ@NETSPACE.ORG
Hey
If this has already been brought up, you have the right to stone me to
death, But I havent seen it and ive searched, so here it is:
I was fooling around today, and decided to rm /tmp/.X11-unix and then make
a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
up /etc/passwd and
ln -s /etc/passwd /tmp/.X11-unix
and then startx'd as normal user acount, But X wouldnt start, it
complained and said "is not a directory" So, I made a symbolic link from
/root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
to have write access to /root.
I was able to write new files to /root but was not able to overright or
change files, i was able to make a "+ +" .rhosts though.
I did this to /etc also, changed it from:
drwxr-xr-x
To:
drwxrwxrwt
with:
telnetd ~$ ln -s /etc /tmp/.X11-unix
telnetd ~$ startx
I have tested this via a remote telnet sesion also, It works if you are
able to startx and X isnt already running,
I swung my chair around and got on my gateway, telneted to stinky, logged
in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw
the X startup crap, looked behind me and saw X starting on stinky, I
turned to my gateway and stoped X, and had write access to /etc.
wh00t@$#!$
The only real thing I can think of for this to be usefull is .rhosts in
/root...
later
telnetd@doemill.shocking.com
