From owner-freebsd-security  Tue Jun 25 01:42:17 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA02730
          for security-outgoing; Tue, 25 Jun 1996 01:42:17 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02655;
          Tue, 25 Jun 1996 01:40:57 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14940; Tue, 25 Jun 1996 01:40:18 -0700 (PDT)
Date: Tue, 25 Jun 1996 01:40:18 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Mark Murray <mark@grumble.grondar.za>
cc: hackers@FreeBSD.org, security@FreeBSD.org,
        Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <199606250836.KAA08996@grumble.grondar.za>
Message-ID: <Pine.BSF.3.91.960625013911.21697n-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, Mark Murray wrote:

> -Vince- wrote:
> > > Example: user suspects you may be a DOS user, and are likely to try
> > > to type the "dir" or "cls" command every now and then (by mistake).
> > > 
> > > In his home directory he places a script called "dir" that creates a
> > > suid shell (silently) then prints the usual "command not found" error.
> > > 
> > > He then phones you, asking for support, and tries to trick you into
> > > running his script. Having "." in your path makes his trickery easier.
> > 
> > 	Hmmm, that's only if we had phone support.... We don't :)  but do 
> > admins really go run a program that the user said won't run?
> 
> Don't pick details. The point is that there is the problem that you
> could be tricked (somehow) into running a user's script instead
> of a system binary. This can happen even if the "." is at the 
> end of your path if the program/script is not the name of a
> system app.

	Yeah, you have a point but jbhunt was watching the user as he 
hacked root since he brought the file from his own machine.... so that 
wasn't something the admin was tricked into doing..

Vince