From owner-freebsd-security Fri May 28 2:48:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 7CBB914F84 for ; Fri, 28 May 1999 02:48:24 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA18283; Fri, 28 May 1999 02:47:31 -0700 (PDT) Message-ID: <19990528024730.B15594@best.com> Date: Fri, 28 May 1999 02:47:30 -0700 From: "Jan B. Koum " To: Dima , security@FreeBSD.ORG Subject: Re: System beeing cracked! References: <199905280927.OAA08009@nic.mmc.net.ge> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905280927.OAA08009@nic.mmc.net.ge>; from Dima on Fri, May 28, 1999 at 02:27:23PM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, May 28, 1999 at 02:27:23PM +0500, Dima wrote: > Hello, > I have 3.1 installed and friend of mine made a bet that he can hack into my system. He has ordinary account opened. So, he win! And i'am wondering if there are any security holes in 3.1? He login as himself via telnet, then he made him root (but he was not in wheel group and ofcourse did not know root password) and what is more interesting he cracked several password. He made all this in 2 houres, and password was minimal 10 symbols lenght, containg different case and digits. I am using MD5 codding, and as I knew it is impossible. Has someone any idea how it was done? Please, answer me, as my friend do not tell me anything about this as he feel like guru-hacker. > Thank you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Hello, By default 3.0-RELEASE was shipped with /sbin/vinum set sgid kmem which allowed people to to read /dev/*mem -- which is where it is possible to grab your password file from. You can also do other nasties when you got sgid of kmem handy. See (as one big line): http://www.freebsd.org/cgi/getmsg.cgi?fetch=38413+41513+ /usr/local/www/db/text/1999/freebsd-security/19990124.freebsd-security This vinum bug was fixed on Jan 13th -- have you upgraded your system since? [Yes, I know you said you got 3.1, but I am just checking first] Of course, you might have had /root/.rhosts with "+ +" in it or some such. Or maybe you had older version of QPOP or imap server running? Those have remote overflows in them. Have you ever logged in from your friend machine into your machine and did 'su'? He might have got your keyboard keystrokes logged. Hard to tell how exactly your system got cracked. There are many ways. Most of them are not the OS fault too. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message