OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: Is starting a user program on priv port via inetd dangerous ?

Re: Is starting a user program on priv port via inetd dangerous ?

Eric Murray (ericmMicroUnity.com)
Thu, 21 Jul 94 16:39:37 MDT 

Doug McLaren wrote:
> 
> Oh, here's the scenario :
> 
> I imagine a few of you are familiar with IRC - there's a network of
> servers talking to each other, and listening for client and server
> connections.
> 
> Currently the defacto port is 6667.  But there's a growing movement to
> change this to 194, which will magically add 'accountability',
> 'responsibility' and 'respectability' to IRC.  (how effective this
> would be has been beaten to death on the IRC mailing lists with no
> apparant answer.)

[..]
 
>    ircd stream tcp wait dougmc /home/dougmc/ircd/ircd ircd \-i
> 
> (apparantly even this doesn't always work, but that's not my question
> either.)
> 
> My question is this: I own /home/dougmc/ircd/ircd, so I can change it
> in any way I want.  Is it possible to alter it in such a way that it
> takes this open fd to port 194 and abuses it, perhaps uses it to spoof
> a rlogin or rsh?

A quick perusal of (4.3BSD) inetd shows that it forks, the child
gets setuid & setgid to the user that ircd is supposed
to run as (dougmc in this case), and exec()d.  Doesn't
look too bad, but I just glanced at the code, and I couldn't
say if any other version of UNIX doesn't do something dumb in inetd.

So, if there's a hole in ircd, it could cetainly be exploited as dougmc
but probably not as root.  So it's probably not much worse than
regular port 6667 in that respect.

It's still a pretty stupid idea, but you're already ware of that.


--
     ericm         ericmmicrounity.com