From owner-freebsd-security Wed Jul 30 23:18:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA07916 for security-outgoing; Wed, 30 Jul 1997 23:18:49 -0700 (PDT) Received: from acromail.ml.org (acroal.vip.best.com [206.86.222.181]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA07897 for ; Wed, 30 Jul 1997 23:18:43 -0700 (PDT) Received: from localhost (kernel@localhost) by acromail.ml.org (8.8.6/8.8.5) with SMTP id XAA00672; Wed, 30 Jul 1997 23:18:59 -0700 (PDT) Date: Wed, 30 Jul 1997 23:18:59 -0700 (PDT) From: FreeBSD Technical Reader To: Ollivier Robert cc: security@FreeBSD.ORG Subject: Re: security hole in FreeBSD In-Reply-To: <19970728171633.10794@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Is it also possible to do this with a raw socket using a custom protocol? On Mon, 28 Jul 1997, Ollivier Robert wrote: > According to Vincent Poy: > > 1) User on mercury machine complained about perl5 not working which was > > perl5.003 since libmalloc lib it was linked to was missing. > > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 > > and it works. > > I don't think he used perl to hack root unless you kept old versions of > Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by > Werner. 5.003+ holes are fixed in 5.004 and later. > > > 6) We went to inetd.conf and shut off all daemons except telnetd and > > rebooted and user still can get onto the machine invisibly. > > That shows that he has used a spare port to hook a root shell on. In these > case, "netstat -a" or "lsof -i:TCP" will give you all connections, > including those on which a program is LISTENing to. That way you'll catch > any process left on a port. > > -- > Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997 >