Great big gaping hole in ua's security

j eric townsend erict at flatline.UUCP
Mon Jul 25 07:39:11 AEST 1988




Well, I found another one.  Doesn't surprise me though. :-)
It's even more nefarious, and the user doesn't have to change
*anything* to get a id=0,gid=0 shell!

If you have the "Toybox" installed, and a game that lets you
escape to shell, odds are you have a root shell.  I did this
with a game in my Toybox.... I checked the toybox file, and
noticed that *all* the games were run:

Run=EXEC -pwd /usr/games/nameofgame

Each game is run from a root shell.  Any game that lets you escape
to sheel will spawn a root shell.  I'm going to try modifing it to
see if the games will run w/o root permissions.

Geeze.  AT&T is *soooo* bad-ass about their equipment, then they
fuck up like this.  They used to charge what, $12k for a 3b1?

Some people may be upset that I posted this security hole.  I think
that if people know about it, they can fix it, otherwise you have:
set criminal-types know about hole,
set user-types do not,
criminal-types can use hole to take advantage of user-types.
People interested in breaking into 3b1's probably know about this
one already, so....
-- 
Motorola Skates on Intel's Head!
J. Eric Townsend ->uunet!nuchat!flatline!erict smail:511Parker#2,Hstn,Tx,77007
             ..!bellcore!tness1!/



More information about the Unix-pc.general mailing list