Full Disclosure mailing list archives
Re: bitchx exploit
From: Valdis.Kletnieks () vt edu
Date: Thu, 21 Apr 2005 14:21:03 -0400
On Thu, 21 Apr 2005 10:24:06 PDT, Andrew Farmer said:
I have never, ever seen BitchX installed suid, and there's no reason it would be. SSL clients work just fine without suid.
I'm sure there's *plenty* of places that managed to botch permissions on some file or other, causing SSL to not work correctly, and then they chmod +s things that don't work because they know how to wave a dead chicken over the CPU, but they don't know how to *FIX* things. Consider a box that some idiot has done a 'chmod 640 /usr/lib/libssl*'..... (I've not personally seen a BitchX installed this way, but I've seen enough OTHER stuff to convince me it's probably happening. Even came across a setUID /bin/ls that the sysadmin-monkey had done - and I've seen a *vendor* ship a set-UID /bin/tar (so it could set the correct owner/group when extracting).
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- bitchx exploit sk (Apr 21)
- Re: bitchx exploit Andrew Farmer (Apr 21)
- Re: bitchx exploit Valdis . Kletnieks (Apr 21)
- Message not available
- Re: bitchx exploit Pablo Escobar (Apr 24)
- Re: bitchx exploit Andrew Farmer (Apr 21)