Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jun 1996 22:11:14 -0700
From:      "Michael L. VanLoon -- HeadCandy.com" <michaelv@HeadCandy.com>
To:        -Vince- <vince@mercury.gaianet.net>
Cc:        "Eric J. Schwertfeger" <ejs@bfd.com>, Mark Murray <mark@grumble.grondar.za>, hackers@freebsd.org, security@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net>
Subject:   Re: I need help on this one - please help me track this guy down! 
Message-ID:  <199606260511.WAA00500@MindBender.HeadCandy.com>
In-Reply-To: Your message of Tue, 25 Jun 96 13:03:06 -0700. <Pine.BSF.3.91.960625130237.25073B-100000@mercury.gaianet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

>On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote:
>> On Tue, 25 Jun 1996, -Vince- wrote:

>> > 	Yeah, you have a point but jbhunt was watching the user as he 
>> > hacked root since he brought the file from his own machine.... so that 
>> > wasn't something the admin was tricked into doing..

>> Then the important question is, how did he move the file so that it
>> retained the setuid bit?  We're already pretty sure that the program is
>> only /bin/sh with the setuid bit turned on.  So either he found a way to
>> move the file with the bit turned on, or he found a way to turn it on,
>> which reqires root access.

>	It was a remote login so he had to transfer it over somehow...

Well, *if* that's true, it still wouldn't be setuid root just from the
transfer.  He'd *still* have to get root some other way to make this
binary setuid root.

But if he's going to do that, why bother copying a binary over the
network -- it would just be easier to just snag a copy of your own
/bin/sh and mark it setuid root.

-----------------------------------------------------------------------------
  Michael L. VanLoon                                 michaelv@HeadCandy.com
        --<  Free your mind and your machine -- NetBSD free un*x  >--
    NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3,
        Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32...
    NetBSD ports in progress: PICA, others...

   Roll your own Internet access -- Seattle People's Internet cooperative.
                  If you're in the Seattle area, ask me how.
-----------------------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606260511.WAA00500>