Bugtraq mailing list archives
more info on the iosmash.c exploit
From: John Scimone <jscimone () cc gatech edu>
Date: Tue, 23 Apr 2002 20:23:43 +0000
phased had some comments he wanted me to forward on to the lists in regards to his latest exploit. He says that skeys are used via all authentication methods... i.e telnet, so someone could change the user to someone in the wheel group. Haven't used skeys via ssh yet but I presume it works. Root obviously can't just telnet in by default but usually can ssh, but if the box being exploited contains people in the wheel group you can change the root user in the exploit to any user to log in via skeys as that user. -sert- That file you've been guarding, isn't. ------------------------------------------------------------------- ______________________________ / _____/\______ \__ ___/ | Secure Network Operations \_____ \ | _/ | | | http://www.snosoft.com / \ | | \ | | | recon () snosoft com /_______ / |____|_ / |____| | \/ \/ | Project Cerebrum Strategic Reconnaissance Team | cerebrum () snosoft com ---------- Forwarded message ---------- Date: Wed, 24 Apr 2002 03:33:15 +0400 From: James Green <phased () mail ru> To: recon () snosoft com Subject: the iosmash.c exploit in the comments i used su to gain root, someone needs to post to bugtraq that skeys is used via all auth methods, i.e. telnet so you could change the user to someone in wheel, havent used skeys via ssh but i presume it works. root isnt allowed to telnet default but usually can ssh, but if the box has people in the wheel group you can change the root to any user in the exploit to log in via skeys as that user. btw dont forward this post can i had some beers tonight heh :) put it in better english lol phased phased () snosoft com -------------------------------------------------------
Current thread:
- more info on the iosmash.c exploit John Scimone (Apr 24)