From owner-freebsd-security  Mon Jul 28 10:23:46 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA19106
          for security-outgoing; Mon, 28 Jul 1997 10:23:46 -0700 (PDT)
Received: from netrail.net (netrail.net [205.215.10.3])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA19097
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 10:23:43 -0700 (PDT)
Received: from localhost (jonz@localhost)
	by netrail.net (8.8.6/8.8.6) with SMTP id NAA04255;
	Mon, 28 Jul 1997 13:22:44 GMT
Date: Mon, 28 Jul 1997 13:22:44 +0000 (GMT)
From: "Jonathan A. Zdziarski" <jonz@netrail.net>
To: Ollivier Robert <roberto@keltia.freenix.fr>
cc: security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
In-Reply-To: <19970728171633.10794@keltia.freenix.fr>
Message-ID: <Pine.BSF.3.95q.970728132145.4159A-100000@netrail.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I would check also /etc/inetd.conf to make sure he didn't set himself up
with a root-environment on some port, I know finger -P will let you run
for example a shell, and if it is set up as root, well... 


-------------------------------------------------------------------------
Jonathan A. Zdziarski                                NetRail Incorporated
Server Engineering Manager                    230 Peachtree St. Suite 500
jonz@netrail.net                                        Atlanta, GA 30303
http://www.netrail.net                                    (888) - NETRAIL
------------------------------------------------------------------------- 

On Mon, 28 Jul 1997, Ollivier Robert wrote:

:According to Vincent Poy:
:> 1) User on mercury machine complained about perl5 not working which was
:> perl5.003 since libmalloc lib it was linked to was missing.
:> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
:> and it works.
:
:I don't think he used perl to hack root unless you kept old versions of
:Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by
:Werner. 5.003+ holes are fixed in 5.004 and later.
:
:> 6) We went to inetd.conf and shut off all daemons except telnetd and 
:> rebooted and user still can get onto the machine invisibly.
:
:That shows that he has used a spare port to hook a root shell on. In these
:case, "netstat -a" or "lsof -i:TCP" will give you all connections,
:including those on which a program is LISTENing to. That way you'll catch
:any process left on a port.
:
:-- 
:Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr
:FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997
: