Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Wietse Venema <wietse () PORCUPINE ORG>
Date: Fri, 19 Jan 2001 13:02:45 -0500
On Thu, Jan 18, 2001 at 11:57:12PM +0100, Konrad Rieck wrote:
cu is only set setuid for the owner uucp and an attacker won't gain any special privileges, but he would gain access to the files in /etc/uucp.
Michael H. Warfield:
Correction... He does gain special privileges. He gains access to all the uucp control files which can contain account names and passwords on other systems. It ain't root, but it's more than what he should have.
It is worse than that. Once UUCP privilege is gained you can replace the UUCP executables. That gives you full control over any user that happens to execute those UUCP executables - a root-owned cron job, a sendmail.cf mailer rule that executes as daemon, and so on. Wietse
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)