From owner-freebsd-security  Tue Dec 30 17:16:42 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id RAA15119
          for security-outgoing; Tue, 30 Dec 1997 17:16:42 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from atlas.iexpress.net.au (atlas.iexpress.net.au [203.61.175.33])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA15094;
          Tue, 30 Dec 1997 17:16:13 -0800 (PST)
          (envelope-from mikey@atlas.iexpress.net.au)
Received: from localhost (mikey@localhost)
	by atlas.iexpress.net.au (8.8.5/8.8.5) with SMTP id JAA14600;
	Wed, 31 Dec 1997 09:12:44 +0800
Date: Wed, 31 Dec 1997 09:12:43 +0800 (WST)
From: Michael Slater <mikey@atlas.iexpress.net.au>
To: "Eric C. S. Dynamic" <ecsd@transbay.net>
cc: isp@FreeBSD.ORG, security@FreeBSD.ORG,
        Wut!? <geniusj@bsd.dialup.bestweb.net>
Subject: Re: Two sources for system-cracking tools
In-Reply-To: <34A98FA3.42877E5C@transbay.net>
Message-ID: <Pine.LNX.3.95.971231091122.14140A-100000@atlas.iexpress.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

That actually happend to me once, but it was a while ago when i was using
the buggy version of wu.ftpd . I fixed that particular bug a while ago.

Michael

On Tue, 30 Dec 1997, Eric C. S. Dynamic wrote:

> Mike wrote:
> > On Tue, 30 Dec 1997, Wut!? wrote:
> > > Yeah, Rootshell.com isn't very good with his information, and there is a
> > > very simple explanation why .. (He runs linux!)..
> > 
> > [...]- saying "He runs linux" is an
> > explanation for poor logic is like saying [...]
> 
> He (rootshell) got the data from somewhere, maybe it's wrong.
> No point in being bigoted against Linux. When I justify choosing
> FreeBSD over Linux I just tell people it's real BSD and that it
> has a reputation for being more robust, that we use it and there's
> only one kind. And I don't care to learn about another sorta-similar,
> sort-different system unless I have to (no time.)
> 
> Meanwhile, I reported those two sources for hacker-stuff out as a
> notice (what land doc said of itself) and a question (does teardrop
> work if you're not using the firewall.) Someone hacked our system
> by creating an executable suid-root copy of /bin/sh in /tmp,
> and this is the second time someone's been able to do that, this
> time I discovered it about 12 minutes after the file was created,
> but I'd like to know "how they do that" and I'd like to plug the
> hole. The user I axed had a dozen-plus hack'em crack'em thingys
> lying around, for experimentation. Maybe one of them works, but
> which one? A lot of them try to manipulate the stack at a machine
> level, apparently.
> 
> If the suid-root /bin/sh in /tmp rings a bell, let me know a
> countermeasure. Thanks.
>