Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: Security Info (root broken)
Re: Security Info (root broken)
Christopher Klaus (
cklaus
shadow.net)
Thu, 29 Sep 94 17:18:25 EDT
>
> > >>>>> On Thu, 29 Sep 1994 07:04:44 -0600 (CDT), Pug <pugarlut.utexas.edu> said:
> > >> This was a new
> > >> install, and it lasted about 4 days. One person heard thru the cracker
> > >> grapvine that root was broken thru /bin/mail.
> > P> Did you happen to install the following, in particular 101436-02?
> > P> Solaris 1.1.1 Patches Containing Security Fixes:
> > P> ------------------------------------------------
> > P> 101436-02 SunOS 4.1.3_U1: bin/mail jumbo patch
> > This is the patch which made the race condition *easier* to exploit
> > than it was in the unpatched version.
>
> As I remember the race condition, you don't have a problem if you don't
> allow the 'r' commands into your system. The race condition created a
> .rhosts file for accounts that had UID 0, but no existing .rhosts file.
> I can't find my copy of the exploit anymore to be certain. As well, you
> had to start on the system, so it wasn't that much of an external job
> anyway.
>
> I see allowing 'r' commands into your installation as a Bad Thing anyway.
I agree that removing the .rhosts ability is a good idea, but it would be
just as easy for an intruder to use the race condition to overwrite the
password file with their own root account unless this particular bug
doesnt allow overwriting files. Or they could create a .forward file
to gain the root's permissions. I am sure there are other methods
to subvert the machine, if allowed to write root owned files.
--
Christopher William Klaus <cklausshadow.net> <issshadow.net>
Internet Security Systems, Inc. Computer Security Consulting
2209 Summit Place Drive, Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030
