Re: Possible exploit in FreeBSD 4.0

[John Herron <john.herron () RRC STATE TX US>]

I'm glad I got some responses.  Thanks.  I'll *try* to answer all the responses in this one email.  I really regret not 
writing down the error it did say after the motd gets typed.

> It may possibly be that login cant create any temporary files and dumps you into >root so you can fix the problem, or 
> just doesnt know what to do, so it dumps you >to root.  Is this drive partitioned? Does /tmp have a seperate partition?

Ok, I don't know much about *nix period.  When I install FreeBSD I just do "A" for the automatic information on the 
partitioning AND structuring options.  So yes I think the partitions ARE seperated..  Hm.. right now (typing mount) I 
only see /, /usr, /var, and /proc.  But right now since I couldn't get 4.0 to install correctly (think the CD may be 
scratched or I could just be an idiot) I'm using 4.1.1 right now.

> Where is your install choking? 

MY problems usually occur after the installation completes.  It says "Congradulations" etc, then I go tell it my 
network card (which it DOES see under ep0), sometimes it will crash when trying to initialize DHCP (which is supported 
on this network) and it even crashed when I tried (correctly) setting up the info myself (since I actually have a 
static IP address here).  The other place it REALLY started crashing was when I'm ready to set the timezone.  I tell 
it, yes I want to, and then the computer (speaker) starts beeping frantically.  I went to the debug screen and just saw 
some numbers like its decompressing stuff or whatever (they were unevenly spaced out and a new one would come up every 
few seconds or less).  I do know during installation it would tell me it couldn't install this want to try again? (I 
have to say "no" since it would fail) which makes me think it may be the CD.. even though with my brand new 4.1.1 CD I 
didn't get some source code (even though I told it NOT to install that) to install so it errored.. later I saw it 
complain that /var/libs or something didn't exsist and I should do something about it.

Anyway, its back up (newer version) but still I have a tendancy of having trouble with *nix crashing on me lol.

With installation, here's a physical but possibly hack.  If you boot off of the CD to install the OS like I do once and 
a while, then you CAN get into install and from there use their root prompt (ttyv5?) and mount the other partition and 
gain access most likely.

What DID happen is that when I installed (I selected "all") on a 1GB HD, it filled the drive up.  I didn't do a NEW 
install though so it wasn't supposed to be overwriting my current setup, just intalling all the extra crapware.  My 
theory (which I MAY try if I really want to fuss with installing again lol) was if I was on a terminal, etc.. I could 
easily write a script to just send junk to bla.txt, fill up the harddrive, su to root and see if it doesn't want a 
password again.  If not, get in, kill your file and your pretty well off. 

When I was doing this install I was doing it through a telnet session from another computer.  So even though I wouldn't 
have been able to log in (even at the MAIN station) as anyone BUT root (and again it would glitch and load without a 
password) but unfortunatly I didn't think and write the info I saw down or try much (I couldn't telnet into root 
obviously, OR anyone else but now that I think about it, I WAS telnetted in through another machine and PROBABLY could 
have su'd to root and taken advantage of that no password.

> Just want to find out what type of install method you chose i.e. did you
> only chose to install selected packages or any other method and secondly
> did any of the original accounts from before the package installs still
> exist in the passwd and/or shadow file. Just want some more info on the
> error :)

The original install was standard, and I think without x86 (I wasn't the one to DO the original install but watched him 
do it) and he was just getting the box "up" (after he gets the box up is when HE starts to do the extra 
stuff/configuration).  I personally try to do it all at once even though thats probably stupid heh.  When I did my 
other addon install I ran sysinstall (I guess I either su'd to root or it was because I put myself in the group wheel) 
and went to Configuration, probably "Distributions" (that or Packages), and selected that I wanted "All".  And told it 
to just install it.  It went on for a few hours (slow machine), plus I had to tell it not to try again on the things it 
couldn't install and finally errored out after a few messages saying it couldn't write to the drive (freespace).  
Finally I went to the box to physically try to fix it, and thats when I couldn't get logged in, I was seeing messages 
that root logged in (even though they were old), and I only was able to get in as "root".  I was just curious if anyone 
had a box they could sacrifice to test that.. (installing more than your HD can handle) and see if they get the same 
results.  If you have to be root to install (which seems to be the case) then I guess its only good for a physical 
access exploit.