Bugtraq mailing list archives
Re: Exploit for Linux wu.ftpd hole
From: medulla () infosoc com (Mike Edulla)
Date: Sat, 8 Jul 1995 14:19:31 -0400
On Wed, 5 Jul 1995, Larry Kruper wrote:
Date: Wed, 5 Jul 1995 19:40:51 -0700 From: Larry Kruper <lak () home crimelab com> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM> Subject: Re: Exploit for Linux wu.ftpd holeOn Wed, 5 Jul 1995, Henri Karrenbeld wrote:Date: Wed, 5 Jul 1995 18:44:17 +0100 From: Henri Karrenbeld <H.Karrenbeld () ct utwente nl> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM> Subject: Exploit for Linux wu.ftpd holeminicom has a known, but not very well-known hole in it that is nearly identical to the wu-ftp hole. If you are a legitimate user of a pre 1.71 version of minicom, you can get root, its the same sort of thing, seteuid(0), and then make a suid root shell somewhere - you do it by changing the name of 'runscript' to your shell... It wouldnt really be much of a problem, except that linux to this day (i believe) continues to have the users gonzo, satan, and snake in minicom.users (or the slackware release does, at the very least). ---So, how is this bug exploited if gonzo, satan or snake are not in /etc/passwd ? With the minicom F - username (i.e. satan) I do not get an error for not being in the minicom.users file, but J does not jump to a shell. How is this done ? I am doing this on my own system, not someone elses.
Indeed, this offers some protection - it's nonetheless a serious bug. Anyone who has, or can get access to minicom via minicom.users can get root. Also, under the default config on 1.70, {metakey}J doesnt jump to a shell, it suspends the program. Thats why the intruder must edit the apth to runscript instead (runscript is the script interpreter, and its path can be edited in the configuration area).
Current thread:
- Exploit for Linux wu.ftpd hole Henri Karrenbeld (Jul 05)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 05)
- Re: Exploit for Linux wu.ftpd hole Karl Strickland (Jul 05)
- Re: Exploit for Linux wu.ftpd hole Larry Kruper (Jul 05)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 08)
- Re: Exploit for Linux wu.ftpd hole Timothy Newsham (Jul 05)
- Linux FIOSETOWN ioctl hole Marek Michalkiewicz (Jul 06)
- Re: Exploit for Linux wu.ftpd hole Darren Reed (Jul 06)
- Re: Exploit for Linux wu.ftpd hole Marc W. Mengel (Jul 06)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 08)
- web site Aleph One (Jul 07)
- Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Dr. Frederick B. Cohen (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Darren Reed (Jul 09)
- updated-secure-w#-daemons Dr. Frederick B. Cohen (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Kent Fitch (Jul 09)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 05)