From owner-freebsd-security Sat Sep 16 01:00:11 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id BAA04748 for security-outgoing; Sat, 16 Sep 1995 01:00:11 -0700 Received: from strider.ibenet.it (root@[194.179.130.1]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id AAA04698 ; Sat, 16 Sep 1995 00:59:53 -0700 Received: (from piero@localhost) by strider.ibenet.it (8.6.12/8.6.12) id KAA05308; Sat, 16 Sep 1995 10:00:26 +0200 From: Piero Serini Message-Id: <199509160800.KAA05308@strider.ibenet.it> Subject: Re: forwarded message from Grant Haidinyak To: nate@rocky.sri.MT.net (Nate Williams) Date: Sat, 16 Sep 1995 10:00:25 +0200 (MET DST) Cc: security@Freebsd.org, core@Freebsd.org In-Reply-To: <199509152018.OAA17249@rocky.sri.MT.net> from "Nate Williams" at Sep 15, 95 02:18:06 pm Reply-To: piero@strider.ibenet.it Operating-System: FreeBSD 1.1.5.1 X-Phone-Number: +39 (2) 58113562 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 896 Sender: owner-security@Freebsd.org Precedence: bulk Hello. Quoting from Nate Williams (Fri Sep 15 22:18:06 1995): > [ Quick background. Grant has been experiencing a bug whereby folks are > re-connected to login which were abruptly dis-connected from a machine. > This is a *HUGE* security hole if it is indeed true. ] ... Yes it is. It was so in 2.0.0-SNAP950322, and was reported at least 4 months ago. It can be repeated by (on 2.0.0-SNAP): - login - startx - run 'su' and an xterm from there - write down the pty # - hit ctrl-alt-delete - from another machine, telnet into yours until your pty is = the one you wrote down - play with the root shell. Even comands go the the root shell, odd ones to yours I think. Bye, -- # $Id: .signature,v 1.12 1995/08/14 12:10:54 piero Exp $ Piero Serini Via Giambologna, 1 I 20136 Milano - ITALY