Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Sequent/DYNIX Security Hole

Sequent/DYNIX Security Hole

Christian A. Ratliff (ratlifcindikos.ctron.com)
Fri, 10 Jun 1994 09:56:16 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Karl Strickland: "Re: How was the majordomo bug found ?"
Previous message: Eric Vyncke: "Re: How was the majordomo bug found ?"

  Under Sequent DYNIX/ptx 2.x there is a security hole in the telnet command
that will allow any user on the system to overwrite any file. Using the
command will overwrite any file in any filesystem with a zero-length root-
owned file. 

  To exploit this bug try:  /usr/bin/telnet -n filename hostname

  The fix for this bug is simply to remove the setuid bit from the telnet
executable.
  To patch this bug try:  chmod u-s /usr/bin/telnet

  Sequent was already aware of this bug when I reported it last night. While
it is fixed in the next major release of their TCP/IP package, no alert was
ever sent out to customers.

christian

-----------
Christian Ratliff                        Cabletron Systems, Inc.
Sales Programmer/Analyst                 Rochester, NH 03867
ratlifcctron.com  <NeXTmail OK>         Work: (603) 337-1209
"I'm a NeXTSTEP man; I'm an SGI guy."    Home: (207) 780-NeXT
Nobody at Cabletron knows, approves of, or recalls my opinions.

Next message: Karl Strickland: "Re: How was the majordomo bug found ?"
Previous message: Eric Vyncke: "Re: How was the majordomo bug found ?"