From owner-freebsd-security Mon Jun 24 13:36:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA29657 for security-outgoing; Mon, 24 Jun 1996 13:36:56 -0700 (PDT) Received: from soda.CSUA.Berkeley.EDU (soda.CSUA.Berkeley.EDU [128.32.43.52]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA29636; Mon, 24 Jun 1996 13:36:51 -0700 (PDT) Received: (from richardc@localhost) by soda.CSUA.Berkeley.EDU (8.6.12/8.6.12) id NAA20708; Mon, 24 Jun 1996 13:36:53 -0700 Date: Mon, 24 Jun 1996 13:36:51 -0700 (PDT) From: Veggy Vinny To: Mark Murray cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606242027.WAA06360@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Mark Murray wrote: > Veggy Vinny wrote: > > > Take claims like this with a pinch of salt. ;-) > > > > I know but I tried it and it does let me run vipw ;-) > > > > > What is the program? If we know how it works, we can fix any secuity hole > > > it may be exploiting. > > > > Hmmm, the program is called root, no sources.. it's just a 278k > > binary... > > With a setuid bit? Not too sure... > Does ktrace(1) give any clues? Nope... :-( > What do you get from strings(1)? (Long shot..) -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir listing. as for strings... it's really long... > What other exploration have you done? Not much really..... I do remember seeing someone like hack root using ypwhich and it worked too.... that was on 2.1R... -current seemed to fix it... Vince GaiaNet System Administration