From owner-freebsd-security  Sat Sep  8 19: 1: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4415337B401; Sat,  8 Sep 2001 19:01:04 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 8EBDE66D0A; Sat,  8 Sep 2001 19:01:03 -0700 (PDT)
Date: Sat, 8 Sep 2001 19:01:03 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Jordan Hubbard <jkh@freebsd.org>
Cc: mike@sentex.net, security@freebsd.org
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems.
Message-ID: <20010908190103.A5814@xor.obsecurity.org>
References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> <5.1.0.14.0.20010908211920.02949008@192.168.0.12> <20010908182304C.jkh@freebsd.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010908182304C.jkh@freebsd.org>; from jkh@freebsd.org on Sat, Sep 08, 2001 at 06:23:04PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Sep 08, 2001 at 06:23:04PM -0700, Jordan Hubbard wrote:
> I fail to see the cited evidence I'm asking for.  Hand-waving I can
> have for free.

The uucp suite has the ability to specify an alternate configuration
file on the command-line (Andrey tells me this is a commonly used
feature :-( ) Using configuration file options they can be made to
execute arbitrary commands as the uucp user.  The uucp user owns the
uucp binaries in question.  uustat is executed by default by root in
/etc/periodic.

There are other consequences of the underlying vulnerability (full
read/write access to the /var/spool/uucp directories, for example), so
preventing the uucp user from overwriting the binaries (with the schg
flag) only fixes the most serious of the side-effects.

Kris

--7JfCtLOvnd9MIVvH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7ms1fWry0BWjoQKURAlH5AKDe8pGtV5yFr9OEEHn5cu17PEenzwCeIh8p
FPu7uANTJCMH0NP1nQ2Htjc=
=5f+H
-----END PGP SIGNATURE-----

--7JfCtLOvnd9MIVvH--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message