Bugtraq mailing list archives
Re: Security Info (root broken)
From: cklaus () shadow net (Christopher Klaus)
Date: Wed, 28 Sep 94 21:59:18 EDT
I need some answers, badly. The OS was SunOS 4.1.3_U1B. The machine was a 4/470. A site I was helping on was broken in and maliciously destroyed the other day (rendered un-login-able), apparantly via a hole I am unaware of (thanks for nothing, security thru obscurity folks - the crackers DO have information that is denied us 'ordinary' folks). This was a new install, and it lasted about 4 days. One person heard thru the cracker grapvine that root was broken thru /bin/mail. HOW?! The permissions- fixing script from Sun had been run, plus things like arp, chill and rdist were made unavailable to users (chmod o-rx). Rdist was replaced by the fixed version and made unavailable for use to users (chmod o-rx). The original passwd command was made mode 400, as well as yppasswd, and a replacement passwd command was installed that didn't have the -F option, or the chfn or chsh options. The C2conv script had also been run. Sendmail was replaced by the newest version with all the fixes, and bind 4.9.2 replaced the original nameserver, as well as its resolver library. All programs replaced were renamed and made mode 400, owner root. Newsyslog was also chown'd to root, and the chmod 666 $LOG was changed to 644. /etc/utmp was also changed to mode 644. Without better info, all the above work was a total waste of time. Can someone out there please infomrm me how these cracker types are getting root privs, and how one can stop it short of disconnecting the machine? And most important, how one can test for these vulnerabilities, and FIX them. Is there a hole in /bin/mail? How does one test for it (I am working on a port of net-2s /bin/mail replacement). Also, how can one prevent anyone from being able to forge mail via the -f option?
8lgm posted a /bin/mail script that showed a vulnerability on Usenet and Sun responded a few weeks later with a patch. 8lgm showed with another script that their patch had not fixed the problem, but had made it worse. I do not believe Sun has since released another patch to fix the problem. This was like 3 months ago or more. So, maybe Sun has released a new patch for bin/mail, but I have been subscribed to sun's security patch mailing list and have not seen anything regarding a fix. -- Christopher William Klaus <cklaus () shadow net> <iss () shadow net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030
Current thread:
- Re: setuid scripts in SunOS 4.1.x, (continued)
- Re: setuid scripts in SunOS 4.1.x Valdis.Kletnieks () vt edu (Apr 17)
- Re: setuid scripts in SunOS 4.1.x jmc () gnu ai mit edu (Sep 28)
- request Michel JACQUOT (Sep 29)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 28)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 28)
- Security Info (root broken) Pat Myrto (Sep 28)
- Re: Security Info (root broken) Valdis.Kletnieks () vt edu (Apr 18)
- Re: Security Info (root broken) Perry E. Metzger (Sep 28)
- Re: Security Info (root broken) pluvius (Sep 28)
- Re: Security Info (root broken) Charles R. Hoynowski (Sep 29)
- Re: Security Info (root broken) Christopher Klaus (Sep 28)
- Re: Security Info (root broken) Pug (Sep 29)
- Re: Security Info (root broken) John Ladwig (Sep 29)
- Re: Security Info (root broken) Pug (Sep 29)
- Re: Security Info (root broken) Casper Dik (Sep 29)
- Re: Security Info (root broken) Timothy Newsham (Sep 29)
- Old sendmail bugs Michael Neuman (Sep 29)
- Re: Security Info (root broken) Karl Strickland (Sep 29)
- Re: Security Info (root broken) Christopher Klaus (Sep 29)
- Re: Security Info (root broken) Pug (Sep 29)
- Re: Security Info (root broken) Pug (Sep 29)