From owner-freebsd-hackers Tue Jun 25 22:24:38 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA06586 for hackers-outgoing; Tue, 25 Jun 1996 22:24:38 -0700 (PDT) Received: from MindBender.HeadCandy.com (root@[199.238.225.168]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA06512; Tue, 25 Jun 1996 22:21:54 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.HeadCandy.com (8.7.5/8.7.3) with SMTP id WAA00500; Tue, 25 Jun 1996 22:11:17 -0700 (PDT) Message-Id: <199606260511.WAA00500@MindBender.HeadCandy.com> X-Authentication-Warning: MindBender.HeadCandy.com: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: -Vince- cc: "Eric J. Schwertfeger" , Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of Tue, 25 Jun 96 13:03:06 -0700. Date: Tue, 25 Jun 1996 22:11:14 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: >> On Tue, 25 Jun 1996, -Vince- wrote: >> > Yeah, you have a point but jbhunt was watching the user as he >> > hacked root since he brought the file from his own machine.... so that >> > wasn't something the admin was tricked into doing.. >> Then the important question is, how did he move the file so that it >> retained the setuid bit? We're already pretty sure that the program is >> only /bin/sh with the setuid bit turned on. So either he found a way to >> move the file with the bit turned on, or he found a way to turn it on, >> which reqires root access. > It was a remote login so he had to transfer it over somehow... Well, *if* that's true, it still wouldn't be setuid root just from the transfer. He'd *still* have to get root some other way to make this binary setuid root. But if he's going to do that, why bother copying a binary over the network -- it would just be easier to just snag a copy of your own /bin/sh and mark it setuid root. ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@HeadCandy.com --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... Roll your own Internet access -- Seattle People's Internet cooperative. If you're in the Seattle area, ask me how. -----------------------------------------------------------------------------