Possible exploit in FreeBSD 4.0

[John Herron <john.herron () RRC STATE TX US>]

I appollogize that I haven't had the proper time to test this more.  I just wanted to make people aware of this 
possibility.

Here's what happened:

I was telnetting to my FreeBSD 4.0 box, and was going to add a java program to it but realized I didn't have XFree86 or 
anything installed (no GUI) and lots of other stuff wasn't installed either.  So I ran "/stand/sysinstall" to start 
installing stuff (this is a 1GB IDE HD btw) anyway, figuring that I could PROBABLY fit all the programs the CD had on 
it on my HD I told it to give me "all" the stuff, etc, etc.  After 2 or so hours of installing, I finally got a HD full 
error so I had to tell it "no, don't try to get the file again", and this went on for a bit.  Finally the program quit 
with some fail error.  

Over the telnet session I was still on the box, but figured it was probably corrupted.  I physically went to the box to 
check it out.  I logged in with my non-root account and it failed (bad login or password).. I tried a few more times 
with no success.  I tried the "guest" account I made (for the public to telnet with), still no luck.  I try "root", it 
gave some QUICK error, erased it (I never saw what it said) didn't ask me for a password and dumped me into the root 
prompt.  It displays the motd and then (unfortunatly can't remember which 2 files) but complained about not being able 
to read two files or them being corrupt or something.  Regardless, I tried logging in a few times but same results, 
valid logins are rejected and root fails to ask a password and glitches you into a root prompt.

Someone may want to experiment with this further to see what the actual problems are.  I hosed my box and am having 
trouble getting it to install without crashing right now so I can't test it anymore :o( .

One side note, ok.. maybe 2.  1, I was going to see if this would ALSO happen if I just filled UP the harddrive (just 
echo "bla" to a file how ever many times you want and loop it untill a harddrive full error occurs) and see how it 
affects the system.  2, I also noticed while debugging my crappy installations (that never work) that upon some point 
in /sysinstall it opens a root shell on ttyv4 or so which I did try and successfully typed in.  I can't see if your 
required to be root or not to run sysinstall (but I recall running it under my guest account before).  If that IS the 
case that would be another possible exploit.  The fix would basically be to make that directory and those files only 
runnable/readable/writable/whateverable to root or wheel only.

Have fun.