Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)

[11a () GMX NET (Bluefish)]

Uhm, it was my impression from the previous mails that no one could
reproduce the problem described in the original email, or am I wrong?

The mail said redhat 6.1, but a redhat 6.1 installation uses
/var/spool/mail, I think it is something funny here? His id command does
not either behave as it does with rh 6.1 out of the box! And the list goes
on, my installation sets mail to group 12.

So, I think that either
 1) his box is rooted
 2) he's faking it, making fun of us or something.

Now watch me trying to reproduce the problem:

[admin@blue admin]$ cat dotid.c ; cc -c dotid.c ; cc -o dotid dotid.o ; mv
dotid
 /var/spool/mail/admin ; chmod 4700  /var/spool/mail/admin ; id ;
/var/spool/mail/admin

void main() {
 setuid( 514 );
 setgid( 12 );
 system("/bin/sh");
}
dotid.c: In function `main':
dotid.c:2: warning: return type of `main' is not `int'
uid=514(admin) gid=100(users) groups=100(users),514(admin)
bash$ id
uid=514(admin) gid=100(users) groups=100(users),514(admin)
bash$

Unless there's something wrong with my c-code (I'm *not* very good with c)
there's no real vulnerability at work? The exploit does *not* work with
redhat 6.1, and the mail stating that it was for rh 6.1 was executing on
an environment far away from rh 6.1, possibly a rooted box.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team