Date: Sat, 10 Feb 1996 00:08:19 -0800 From: Paul Traina <pst@shockwave.com> To: Brian Tao <taob@io.org> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: User creating root-owned directories? Message-ID: <199602100808.AAA02008@precipice.shockwave.com> In-Reply-To: Your message of "Sat, 10 Feb 1996 01:24:44 EST." <Pine.BSF.3.91.960210011627.17721I-100000@zip.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
errr... did your sysadmin have root when he did ls -l in that user's directory? if so, did he have . in his path? You possibly could have been had by someone who had a ls executable which, when run as root, deleted itself, created the directory, AND created a setuid program somewhere. In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1 -stable just to be sure you've got all the security patches. 8.6.12 does have bugs in it which could allow a user to gain root. > Date: Sat, 10 Feb 1996 01:24:44 -0500 (EST) > From: Brian Tao <taob@io.org> > To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> > Subject: User creating root-owned directories? > Precedence: bulk > > I was sent this message from one of our support staff. Any ideas > how this user could have created the root directory? It looks like a > sendmail hole, or an instance of exploiting a buffer that is then > passed through a shell interpreter (note the "ls ; !" portion of the > name). > > We are running a mixed BSD/OS, FreeBSD and NetBSD environment. > The mail server is a BSD/OS 2.0 machine running sendmail 8.6.12, shell > servers are FreeBSD 2.1 and the NFS server is NetBSD 1.1. User home > directories are accessible on any of the above machines. > > In general, how does one go about tracking down this kind of > problem? SementE is the nickname of a known hacker, and it really > bugs me when some snot-nosed kid finds security holes I don't. :-/ ;-) > -- > Brian Tao (BT300, taob@io.org) > Systems Administrator, Internex Online Inc. > "Though this be madness, yet there is method in't" > > ---------- Forwarded message ---------- > Date: Sat, 10 Feb 1996 00:20:32 -0500 (EST) > From: Mark Salerno <mjs@io.org> > To: Brian Tao <taob@io.org> > Subject: Someone hacked root it seems. > > This may be a false alarm, but.. > > this evening (friday) I received a message from a user online, who wanted > me to notify oyou that someone had hacked root. Although I didn't believe > him at first, here's the proof he gave. I entered into his directory and > did an 'ls -lr' > > total 164 > -rw-r--r-- 1 cfloyd user 20 Jun 26 1995 > -rw-r--r-- 1 cfloyd user 82498 Aug 14 21:34 phoenix.irc > -rw------- 1 cfloyd user 14893 Aug 14 21:31 phoenix.hlp > drwx------ 2 cfloyd user 512 Aug 30 1994 mail > -rw------- 1 cfloyd user 27815 Aug 14 17:40 extras.irc > -rw-r--r-- 1 cfloyd user 35007 Dec 31 19:48 eggdox.doh > drwxr-xr-x 2 root user 512 Feb 9 00:11 SementE wuz herels ; ! > drwx------ 4 cfloyd user 512 Feb 3 1995 News > drwx------ 2 cfloyd user 512 Feb 8 00:49 Mail > > look at the SementE file. owned by root. inside his dir. > Not sure exactly what this means. Looks like someone has root. thought I > s houdl let you know. If I'm just causing a false alarm, someone please > splash me with a bottle of snapple ;) > > -MS > > --- MSofty: Mark Salerno - mjs@io.org, msofty@io.org > -- Internex Online Support Staff > - 20 Bay St., Suite 1625. Toronto, Ontario. M5J 2N8 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602100808.AAA02008>