Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: "Juergen P. Meier" <jpm () class de>
Date: Fri, 19 Jan 2001 09:36:24 +0100
On Thu, Jan 18, 2001 at 08:19:10PM +0100, Tomas Cibulka wrote:
HI solaris 2.8 seems to be also affected by this bug. But U can gain only uucp rights in default instalation. bye
If i look at the output of find / -user uucp -xdev -ls on a freshly installed and patched solaris7, this seems enough for me to r00t the box. # find / -user uucp -xdev -ls 188616 55 -rws--x--x 1 uucp bin 56240 Jan 9 06:39 /usr/bin/tip 188741 8 -r-xr-xr-x 1 uucp uucp 8188 Sep 1 1998 /usr/bin/uudecode 188742 8 -r-xr-xr-x 1 uucp uucp 7224 Sep 1 1998 /usr/bin/uuencode 123841 0 -rw------- 1 uucp bin 0 Jan 17 15:54 /var/adm/aculog 300661 1 drwxr-xr-x 2 uucp uucp 512 Jan 19 08:28 /var/spool/locks 276741 0 crw------- 1 uucp uucp 29,131072 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:a,cu 276742 0 crw------- 1 uucp uucp 29,131073 Jan 17 16:16 /devices/sbus@1f,0/zs@f,1100000:b,cu (the 2 devices are /dev/term/a and /dev/term/b ...) for those who dont know what im talking about: Elevate your UID to uucp, then replace uudecode and uuencode with trojaned versions that check if [E]UID is 0 and create a backdoor when this happens. Then just wait until root processes some uuencoded file... [one may send a uuencoded mail to root or try to get him to use uudecode by other means to accelerate this...] have a nice and safe day, (chmod a-s /usr/bin/cu until fixed by Sun microsystems. or pkgrm SUNWbnuu SUNWbnur for all those who dont require UUCP ;) btw, did the author of the first post contact Sun about this issue?) Juergen -- Juergen P. Meier email: jpm () class de
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)