From owner-freebsd-hackers  Mon Jun 24 17:26:56 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA26291
          for hackers-outgoing; Mon, 24 Jun 1996 17:26:56 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA26286;
          Mon, 24 Jun 1996 17:26:54 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id RAA22761; Mon, 24 Jun 1996 17:26:36 -0700 (PDT)
Date: Mon, 24 Jun 1996 17:26:35 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Matthew Jason White <mwhite+@CMU.EDU>
cc: hackers@FreeBSD.org, security@FreeBSD.org,
        Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu>
Message-ID: <Pine.BSF.3.91.960624172432.21697Q-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 24 Jun 1996, Matthew Jason White wrote:

> Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one..
> by -Vince-@mercury.gaianet. 
> >         Yeah, that's the real question is like if he can transfer the 
> > binary from another machine and have it work... other people can do the 
> > same thing and gain access to FreeBSD boxes as root as long as they have 
> > a account on that machine...
> 
> That shouldn't be possible.  FreeBSD wouldn't allow the transfer program
> to assign root ownership to a program unless that program is run as
> root.  The programs typically run on a FreeBSD system as root do not
> assign ownership in this way.  This guy must've gotten root some other
> way and then created the shell so that he could get root again in the
> future.

	Yeah, that's what I'm thinking...  Since it seems like there was 
a problem of running ypwhich to get root on another machine running 2.1R
but in -current, it doesn't work.

> You probably want to change the security script so that it points out
> ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any
> other publicly writeable area.  Are you running inn1.4 on this system? 
> If so, you should probably upgrade to inn-1.4uoff4 (this port should
> prolly be upgraded, if someone hasn't already).

	Hmmm, we're not running inn at all...

Vince