What's so special about uudecode?
Riccardo Pizzi
pizzi at esacs.UUCP
Thu Jan 10 21:56:47 AEST 1991
In article <3036 at polari.UUCP> tronix at polari.UUCP (David Daniel) writes:
>[]Ha! I think your vendor has made the *dreadful* error of making
>[]uudecode setuid to uucp "for the convenience of decoding received uucp
>[]files". I have seen systems where this is a horrible security hole in
>[]that uudecode will allow anyone to make a setuid-to-uucp shell (begin 4755
>
> [remainder of security hole explanation deleted]
>Even
>though you've told the net at large and who knows how many BBS's
>around the world exactly how to hack a specific system and possibly
>others I'll make a suggestion:
>You should have answered this person via e-mail with a cc to root. I'm
>glad I don't have an account on his system.
I do not agree with you, by the way.
The information about security holes is of big interest for the entire
USENET community; it is stupid to try to hide things like this because of
being afraid of hackers. Just remember: hackers already knows many of them,
while most system admin don't. Not being an hacker, I understand that a system
admin is not able to find all the possible ways to hack a system just because
that is not his goal, but is the hacker's one.
I don't remember the name of the guy who explained the uudecode security hole,
but I want to publicly thank him for the advice.
Rick
--
Riccardo Pizzi @ ESA Software, Rimini, ITALY
e-mail: pizzi%esacs at relay.EU.net -or- root at xtc.sublink.org
Public Access Unix @ +39-541-27858 (Telebit)
<< Object Oriented is an Opaque Disease >>
More information about the Comp.unix.questions
mailing list