On Thu, Jan 18, 2001 at 08:19:10PM +0100, Tomas Cibulka wrote:
> HI
>
> solaris 2.8 seems to be also affected by this bug.
> But U can gain only uucp rights in default instalation.
>
> bye

If i look at the output of find / -user uucp -xdev -ls on a freshly
installed and patched solaris7, this seems enough for me to r00t
the box.
# find / -user uucp -xdev -ls
188616 55 -rws--x--x 1 uucp bin 56240 Jan 9 06:39 /usr/bin/tip
188741 8 -r-xr-xr-x 1 uucp uucp 8188 Sep 1 1998 /usr/bin/uudecode
188742 8 -r-xr-xr-x 1 uucp uucp 7224 Sep 1 1998 /usr/bin/uuencode
123841 0 -rw------- 1 uucp bin 0 Jan 17 15:54 /var/adm/aculog
300661 1 drwxr-xr-x 2 uucp uucp 512 Jan 19 08:28 /var/spool/locks
276741 0 crw------- 1 uucp uucp 29,131072 Jan 17 16:16 /devices/sbus1f,0/zsf,1100000:a,cu
276742 0 crw------- 1 uucp uucp 29,131073 Jan 17 16:16 /devices/sbus1f,0/zsf,1100000:b,cu
(the 2 devices are /dev/term/a and /dev/term/b ...)

for those who dont know what im talking about:
Elevate your UID to uucp, then replace uudecode and uuencode with
trojaned versions that check if [E]UID is 0 and create a backdoor
when this happens.
Then just wait until root processes some uuencoded file...
[one may send a uuencoded mail to root or try to get him to
use uudecode by other means to accelerate this...]

have a nice and safe day,

(chmod a-s /usr/bin/cu until fixed by Sun microsystems.
or pkgrm SUNWbnuu SUNWbnur for all those who dont require UUCP ;)
btw, did the author of the first post contact Sun about this issue?)

Juergen

--
Juergen P. Meier                        email: jpmclass.de

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]