[18712] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (Juergen P. Meier)
Fri Jan 19 11:56:04 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010119093624.A12463@fm.rz.fh-muenchen.de>
Date: Fri, 19 Jan 2001 09:36:24 +0100
Reply-To: jpm@class.de
From: "Juergen P. Meier" <jpm@class.de>
X-To: Tomas Cibulka <shock@hq.alert.sk>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010118201910.A28768@hq.alert.sk>; from shock@HQ.ALERT.SK on
Thu, Jan 18, 2001 at 08:19:10PM +0100
On Thu, Jan 18, 2001 at 08:19:10PM +0100, Tomas Cibulka wrote:
> HI
>
> solaris 2.8 seems to be also affected by this bug.
> But U can gain only uucp rights in default instalation.
>
> bye
If i look at the output of find / -user uucp -xdev -ls on a freshly
installed and patched solaris7, this seems enough for me to r00t
the box.
# find / -user uucp -xdev -ls
188616 55 -rws--x--x 1 uucp bin 56240 Jan 9 06:39 /usr/bin/tip
188741 8 -r-xr-xr-x 1 uucp uucp 8188 Sep 1 1998 /usr/bin/uudecode
188742 8 -r-xr-xr-x 1 uucp uucp 7224 Sep 1 1998 /usr/bin/uuencode
123841 0 -rw------- 1 uucp bin 0 Jan 17 15:54 /var/adm/aculog
300661 1 drwxr-xr-x 2 uucp uucp 512 Jan 19 08:28 /var/spool/locks
276741 0 crw------- 1 uucp uucp 29,131072 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:a,cu
276742 0 crw------- 1 uucp uucp 29,131073 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:b,cu
(the 2 devices are /dev/term/a and /dev/term/b ...)
for those who dont know what im talking about:
Elevate your UID to uucp, then replace uudecode and uuencode with
trojaned versions that check if [E]UID is 0 and create a backdoor
when this happens.
Then just wait until root processes some uuencoded file...
[one may send a uuencoded mail to root or try to get him to
use uudecode by other means to accelerate this...]
have a nice and safe day,
(chmod a-s /usr/bin/cu until fixed by Sun microsystems.
or pkgrm SUNWbnuu SUNWbnur for all those who dont require UUCP ;)
btw, did the author of the first post contact Sun about this issue?)
Juergen
--
Juergen P. Meier email: jpm@class.de
