From owner-freebsd-security Thu Sep 10 04:07:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA09265 for freebsd-security-outgoing; Thu, 10 Sep 1998 04:07:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA09260 for ; Thu, 10 Sep 1998 04:07:19 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id MAA19354 for ; Thu, 10 Sep 1998 12:07:07 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id MAA01163 for ; Thu, 10 Sep 1998 12:07:05 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 10 Sep 1998 12:07:05 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: freebsd-security@FreeBSD.ORG Subject: Err.. cat exploit.. (!) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All.. Was just having a look in /var/log the other day and spotted a file called sendmail.st, wondering what it was I cat'd it and here's what it did: bofh$ cat sendmail.st `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm su: xtermxterm: command not found bofh$ This seems quite scarey to me, couldn't someone embed 'rm -rf /' within a text file and then, if root cats the file it nukes their system? Here's an 'od' dump of the file, unfortunately I don't have the time to investigate this further: bofh$ od sendmail.st 0000000 130736 000001 000002 000000 177032 032616 001150 000000 0000020 000000 000000 000000 000000 000000 000000 175721 000000 0000040 000000 000000 173327 000003 000000 000000 000000 000000 0000060 000000 000000 000000 000000 000000 000000 000000 000000 * 0000200 170546 000063 000000 000000 025063 000203 000000 000000 0000220 000000 000000 000000 000000 000000 000000 000000 000000 * 0000320 000000 000000 000000 000000 000741 000000 130255 000000 0000340 000000 000000 066405 000002 000000 000000 174575 000001 0000360 000000 000000 000000 000000 000000 000000 000000 000000 * 0000460 000000 000000 000000 000000 000000 000000 007734 000000 0000500 132451 000001 000000 000000 170650 000112 000000 000000 0000520 065262 000135 000000 000000 000000 000000 000000 000000 0000540 000000 000000 000000 000000 000000 000000 000000 000000 * 0000640 000000 000000 000000 000000 000000 000000 004472 000000 0000660 000000 000000 045005 000000 000000 000000 000000 000000 0000700 000000 000000 000000 000000 000000 000000 000000 000000 * 0001140 bofh$ uname -a FreeBSD server1.fastnet.co.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jun 22 17:33:00 BST 1998 kronus@anarchy.fast.net.uk:/usr/src/sys/compile/ANARCHY i386 Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message