Re: Solaris /usr/bin/cu Vulnerability

["Juergen P. Meier" <jpm () class de>]

On Thu, Jan 18, 2001 at 08:19:10PM +0100, Tomas Cibulka wrote:
> HI
>
>  solaris 2.8 seems to be also affected by this bug.
>  But U can gain only uucp rights in default instalation.
>
>                       bye

If i look at the output of find / -user uucp -xdev -ls on a freshly
installed and patched solaris7, this seems enough for me to r00t
the box.
# find / -user uucp -xdev -ls
188616   55 -rws--x--x  1 uucp     bin         56240 Jan  9 06:39 /usr/bin/tip
188741    8 -r-xr-xr-x  1 uucp     uucp         8188 Sep  1  1998 /usr/bin/uudecode
188742    8 -r-xr-xr-x  1 uucp     uucp         7224 Sep  1  1998 /usr/bin/uuencode
123841    0 -rw-------  1 uucp     bin             0 Jan 17 15:54 /var/adm/aculog
300661    1 drwxr-xr-x  2 uucp     uucp          512 Jan 19 08:28 /var/spool/locks
276741    0 crw-------  1 uucp     uucp      29,131072 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:a,cu
276742    0 crw-------  1 uucp     uucp      29,131073 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:b,cu
(the 2 devices are /dev/term/a and /dev/term/b ...)

for those who dont know what im talking about:
Elevate your UID to uucp, then replace uudecode and uuencode with
trojaned versions that check if [E]UID is 0 and create a backdoor
when this happens.
Then just wait until root processes some uuencoded file...
[one may send a uuencoded mail to root or try to get him to
use uudecode by other means to accelerate this...]

have a nice and safe day,

(chmod a-s /usr/bin/cu until fixed by Sun microsystems.
or pkgrm SUNWbnuu SUNWbnur for all those who dont require UUCP ;)
btw, did the author of the first post contact Sun about this issue?)

Juergen

--
Juergen P. Meier                        email: jpm () class de