Bugtraq mailing list archives
Re: Is starting a user program on priv port via inetd dangerous ?
From: ericm () MicroUnity com (Eric Murray)
Date: Thu, 21 Jul 94 16:39:37 MDT
Doug McLaren wrote:
Oh, here's the scenario : I imagine a few of you are familiar with IRC - there's a network of servers talking to each other, and listening for client and server connections. Currently the defacto port is 6667. But there's a growing movement to change this to 194, which will magically add 'accountability', 'responsibility' and 'respectability' to IRC. (how effective this would be has been beaten to death on the IRC mailing lists with no apparant answer.)
[..]
ircd stream tcp wait dougmc /home/dougmc/ircd/ircd ircd \-i (apparantly even this doesn't always work, but that's not my question either.) My question is this: I own /home/dougmc/ircd/ircd, so I can change it in any way I want. Is it possible to alter it in such a way that it takes this open fd to port 194 and abuses it, perhaps uses it to spoof a rlogin or rsh?
A quick perusal of (4.3BSD) inetd shows that it forks, the child gets setuid & setgid to the user that ircd is supposed to run as (dougmc in this case), and exec()d. Doesn't look too bad, but I just glanced at the code, and I couldn't say if any other version of UNIX doesn't do something dumb in inetd. So, if there's a hole in ircd, it could cetainly be exploited as dougmc but probably not as root. So it's probably not much worse than regular port 6667 in that respect. It's still a pretty stupid idea, but you're already ware of that. -- ericm ericm () microunity com
Current thread:
- Re: Wall and talkd pass binary data, (continued)
- Re: Wall and talkd pass binary data Martin Sean Bennet - Sun UK - CSG Engineer (Jul 20)
- Re: Sending escape sequences to xterms via wall/talk Mike Raffety (Jul 20)
- Re: Sending escape sequences to xterms via wall/talk Christopher A. Stewart (Jul 20)
- Re: Sending escape sequences to xterms via wall/talk Andrew Beckett (Jul 21)
- setuid root programs and core dumps Rob Quinn (Jul 21)
- Re: Sending escape sequences to xterms via wall/talk Paul Daw (Jul 21)
- Re: Sending escape sequences to xterms via wall/talk Evil Pete (Jul 21)
- Re: Sending escape sequences to xterms via wall/talk Christopher A. Stewart (Jul 21)
- Re: Sending escape sequences to xterms via wall/talk pluvius (Jul 22)
- Re: Sending escape sequences to xterms via wall/talk Mike Raffety (Jul 20)
- Re: Wall and talkd pass binary data Martin Sean Bennet - Sun UK - CSG Engineer (Jul 20)
- Is starting a user program on priv port via inetd dangerous ? Doug McLaren (Jul 21)
- Re: Is starting a user program on priv port via inetd dangerous ? Eric Murray (Jul 21)
- Re: Is starting a user program on priv port via inetd dangerous ? matthew green (Jul 21)
- Re: Is starting a user program on priv port via inetd dangerous ? Darren Reed (Jul 22)
- Re: Is starting a user program on priv port via inetd dangerous ? jmc () gnu ai mit edu (Jul 22)
- yes, there's another hole in BIND Paul A Vixie (Jul 21)
- Re: yes, there's another hole in BIND Resident Hacker (Jul 22)
- Re: yes, there's another hole in BIND Paul A Vixie (Jul 22)
- Re: yes, there's another hole in BIND Perry E. Metzger (Jul 22)
- Re: yes, there's another hole in BIND Pat Myrto (Jul 22)
- Re: yes, there's another hole in BIND David Barr (Jul 22)
- Re: yes, there's another hole in BIND Joe Hentzel (Jul 22)