From owner-freebsd-hackers  Mon Jun 24 13:31:53 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA29037
          for hackers-outgoing; Mon, 24 Jun 1996 13:31:53 -0700 (PDT)
Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA28974;
          Mon, 24 Jun 1996 13:31:38 -0700 (PDT)
Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06360; Mon, 24 Jun 1996 22:27:09 +0200 (SAT)
Message-Id: <199606242027.WAA06360@grumble.grondar.za>
To: Veggy Vinny <richardc@CSUA.Berkeley.EDU>
cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>,
        "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl,
        hackers@freebsd.org, security@freebsd.org, ache@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down! 
Date: Mon, 24 Jun 1996 22:27:09 +0200
From: Mark Murray <mark@grumble.grondar.za.@grondar.za>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Veggy Vinny wrote:
> > Take claims like this with a pinch of salt. ;-)
> 
> 	I know but I tried it and it does let me run vipw ;-)
> 
> > What is the program? If we know how it works, we can fix any secuity hole
> > it may be exploiting.
> 
> 	Hmmm, the program is called root, no sources.. it's just a 278k 
> binary...  

With a setuid bit?

Does ktrace(1) give any clues?

What do you get from strings(1)? (Long shot..)

What other exploration have you done?

M
--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Finger mark@grondar.za for PGP key