Re: /var/named world writeable in latest slack

[Jason Storm <sec () ORGONE NEGATION NET>]

On Thu, 12 Oct 2000, Michal Zalewski wrote:

> On Wed, 11 Oct 2000, Jason Storm wrote:
>
> > I just installed the latest slack distro from ftp.freesoftware.com,
> > not the ISO btw, and /var/named was world writeable.
>
> If so, it almost for sure means root compromise, AFAIK. As I recall,
> config file parsing could cause some overflows...

I sincerely doubt the box was hacked </famous last words>; named was never
running for one thing (its commented out of rc.inet2 by default), and this
was found literally within 2 minutes of the first reboot after the
install.

Those 2 minutes were spent locking down inetd.conf and terming all rpc
services.

Plus it was behind a firewall.. and while yes, someone could have nailed
it from another machine on the LAN, it just doesnt seem as likely as
another packaging oversite (/etc/shells and such)..


> > > I'm looking for a good job: http://lcamtuf.hack.pl/job.html
>
> _______________________________________________________
> Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
> [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=


-jason storm
 negation industries