From owner-freebsd-security  Tue Jul 16 16:03:09 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA07386
          for security-outgoing; Tue, 16 Jul 1996 16:03:09 -0700 (PDT)
Received: from mail.crl.com (mail.crl.com [165.113.1.22])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA07375
          for <freebsd-security@freebsd.org>; Tue, 16 Jul 1996 16:03:06 -0700 (PDT)
Received: from umbc7.umbc.edu (f-umbc7.umbc.edu) by mail.crl.com with SMTP id AA23593
  (5.65c/IDA-1.5 for <freebsd-security@freebsd.org>); Tue, 16 Jul 1996 16:02:32 -0700
Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id TAA08854; Tue, 16 Jul 1996 19:00:32 -0400
Date: Tue, 16 Jul 1996 19:00:30 -0400 (EDT)
From: Paul Danckaert <pauld@umbc.edu>
To: freebsd-security@freebsd.org
Subject: [linux-security] sliplogin (fwd)
Message-Id: <Pine.SGI.3.91.960716185055.7842B-100000@umbc7.umbc.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



Interesting.  The code is the same on FreeBSD, it looks like.  However, on
the default distributed system, there isn't a /etc/sliphome directory,
which is necessary for sliplogin to startup correctly.  Therefore the
standard FreeBSD distribution dies out before it gets anywhere near the
system command. If you do run slip off of your system however, its much
more possible that bad things can happen.. 

paul

---------- Forwarded message ----------
Date: Tue, 16 Jul 1996 15:27:19 -0500
From: David Holland <dholland@hcs.HARVARD.EDU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: [linux-security] sliplogin

Anyone running a version of sliplogin older than sliplogin-2.1.0
(which can be gotten from sunsite.unc.edu:/pub/Linux/system/Network/serial
or ftp.uk.linux.org:/pub/linux/Networking/transports) should remove it
or upgrade it immediately.

It does

        setuid(0);
        if (s = system(logincmd)) {
           :
        }

without clearing the environment first. Therefore, anybody can get
root trivially.

The sliplogin from NetKit-B-0.06 is affected.
Current RedHat sliplogin is not affected.
Others I don't know about.

--
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381