Bugtraq mailing list archives
Re: FreeBSD recent exploits.
From: cschuber () uumail gov bc ca (Cy Schubert - ITSD Open Systems Group)
Date: Tue, 23 Jul 1996 08:28:07 -0700
Hello, I run a FreeBSD news server. I have been keeping up with the various recent security holes (the suidperl, rdist, etc.). However, since this is a full disclosure list, I must say my curiousity is piqued about the latest two. First, how would one use the hole in the ppp program? I noticed, looking at the patch, the flawed logic in some of the source code. However, since I am trying to learn C myself, I wasn't sure how they would be exploited. Secondly, the rz/sz. Is this a FreeBSD only hole, or a "bad idea" that is part of the zmodem protocol? And I am dying to see more info about it, as in, exactley what part of the protocol allows you to do this? Also, without knowing the history of rz/sz, why on earth did they include such a thing, if it was in fact a deliberate inclusion? Andy Dills
This is a bad idea that is part of the Zmodem protocol. Chuck Forsberg, the author of Zmodem, markets a number of Zmodem programs, e.g. dsz, zcomm, and Pro-Yam, through is company Omen Technologies. When I used to use Pro-Yam under MS-DOS, Pro-Yam had a zcommand command that would allow you to execute a command on the remote machine and have the output sent back to you, kind of like rsh. It is not very secure, however in the MS-DOS world access to a single machine is generally limited to a small number of people (except BBS systems), so the degree of exposure is also somewhat limited as well. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber () uumail gov bc ca cschuber () bcsc02 gov bc ca "Quit spooling around, JES do it."
Current thread:
- Re: HP/UX 10.01 Remote Administration accoun Jeff Uphoff (Jul 18)
- Re: HP/UX 10.01 Remote Administration accoun Mark Sedlock (Jul 18)
- FreeBSD recent exploits. Andy Dills (Jul 18)
- tcp Bj|rge Eikenes (Jul 23)
- Re: tcp Brian Mitchell (Jul 23)
- dg/ux vulnerbility Brian Mitchell (Jul 23)
- vulnerability in vi under AIX 3.2 Marina Buitrago Bravo (Jul 23)
- Re: vulnerability in vi under AIX 3.2 Bill Pemberton (Jul 23)
- Re: vulnerability in vi under AIX 3.2 (IN LINUX) Nelson N. Escravana (Jul 24)
- FreeBSD recent exploits. Andy Dills (Jul 18)
- Re: FreeBSD recent exploits. Cy Schubert - ITSD Open Systems Group (Jul 23)
- Re: HP/UX 10.01 Remote Administration accoun Mark Sedlock (Jul 18)