From david@sifry.com Thu Jul 18 03:14:32 1996 Received: from sifry.com (mail@router.sifry.com [205.158.105.33]) by suburbia.net (8.7.4/Proff-950810) with SMTP id DAA30466 for ; Thu, 18 Jul 1996 03:13:41 +1000 Received: (from mail@localhost) by sifry.com (8.6.12/8.6.9) id KAA20959; Wed, 17 Jul 1996 10:12:39 -0700 Received: from localhost(127.0.0.1) by router.sifry.com via smap (V1.3) id sma020957; Wed Jul 17 10:12:10 1996 Sender: david@sifry.com Message-ID: <31ED1EED.44328B1B@sifry.com> Date: Wed, 17 Jul 1996 10:12:13 -0700 From: "David L. Sifry" Organization: Sifry Consulting X-Mailer: Mozilla 3.0b4 (X11; I; Linux 2.0.6 i586) MIME-Version: 1.0 To: best-of-security@suburbia.net Subject: [Fwd: [linux-security] sliplogin (fwd)] Content-Type: multipart/mixed; boundary="------------195BD4DC75D367FCB4963" This is a multi-part message in MIME format. --------------195BD4DC75D367FCB4963 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit There was a followup to this that revision 1.6 closes this hole for FreeBSD users: ------------ From: Nate Williams revision 1.6 date: 1996/04/24 20:18:25; author: pst; state: Exp; lines: +9 -0 Close a security hole in sliplogin. If you use sliplogin as a user shell (in /etc/passwd) upgrade to this version. Reviewed by: bde, peter Submitted by: AUS CERT Obtained from: Linux sliplogin-2.02 So, even if you setup /etc/sliphome, your system won't be vulnerable. ------------ Enclosed is the original message. -- Dave Sifry david@sifry.com, sifry@aptltd.com (408) 471-0667 (voice) (408) 471-0666 (fax) --------------195BD4DC75D367FCB4963 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: owner-bugtraq@NETSPACE.ORG Received: from sifry.com (mail@router.sifry.com [192.168.2.1]) by workhorse.sifry.com (8.6.12/8.6.9) with ESMTP id SAA01006 for ; Tue, 16 Jul 1996 18:00:29 -0700 Received: (from mail@localhost) by sifry.com (8.6.12/8.6.9) id SAA18249 for ; Tue, 16 Jul 1996 18:00:28 -0700 Received: from santacruz01.pop.internex.net(205.158.3.162) by router.sifry.com via smap (V1.3) id sma018244; Tue Jul 16 18:00:15 1996 Received: from brimstone.netspace.org ([128.148.157.143]) by SantaCruz01.pop.internex.net (post.office MTA v1.9.1 ID# 0-11022) with ESMTP id AAA4731 for ; Tue, 16 Jul 1996 17:45:04 -0700 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23799-1089>; Tue, 16 Jul 1996 20:44:24 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id UAA08496; Tue, 16 Jul 1996 20:41:05 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 162521 for BUGTRAQ@NETSPACE.ORG; Tue, 16 Jul 1996 20:33:59 +2000 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id UAA07747 for ; Tue, 16 Jul 1996 20:33:12 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from dfw.dfw.net.dfw.dfw.net (dfw.dfw.net [198.175.15.10]) by netspace.org (8.7/8.6.12) with SMTP id UAA06716 for ; Tue, 16 Jul 1996 20:23:19 -0400 Received: from localhost by dfw.dfw.net.dfw.dfw.net (4.1/SMI-4.1) id AA25442; Tue, 16 Jul 96 19:21:59 CDT X-Received: from mailhub.aros.net by dfw.dfw.net.dfw.dfw.net (4.1/SMI-4.1) id AA21883; Tue, 16 Jul 96 18:48:11 CDT X-Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.4]) by mailhub.aros.net (8.7.5/Unknown) with ESMTP id RAA16877; Tue, 16 Jul 1996 17:52:30 -0600 (MDT) X-Received: from localhost (daemon@localhost) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA08055; Tue, 16 Jul 1996 16:06:54 -0700 (PDT) X-Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA07386 for security-outgoing; Tue, 16 Jul 1996 16:03:09 -0700 (PDT) X-Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA07375 for ; Tue, 16 Jul 1996 16:03:06 -0700 (PDT) X-Received: from umbc7.umbc.edu (f-umbc7.umbc.edu) by mail.crl.com with SMTP id AA23593 (5.65c/IDA-1.5 for ); Tue, 16 Jul 1996 16:02:32 -0700 X-Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id TAA08854; Tue, 16 Jul 1996 19:00:32 -0400 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Loop: FreeBSD.org Precedence: bulk Approved-By: Aleph One Message-ID: Date: Tue, 16 Jul 1996 19:21:46 -0500 Reply-To: Bugtraq List Sender: Bugtraq List From: Paul Danckaert Subject: [linux-security] sliplogin (fwd) To: Multiple recipients of list BUGTRAQ Interesting. The code is the same on FreeBSD, it looks like. However, on the default distributed system, there isn't a /etc/sliphome directory, which is necessary for sliplogin to startup correctly. Therefore the standard FreeBSD distribution dies out before it gets anywhere near the system command. If you do run slip off of your system however, its much more possible that bad things can happen.. paul ---------- Forwarded message ---------- Date: Tue, 16 Jul 1996 15:27:19 -0500 From: David Holland To: Multiple recipients of list BUGTRAQ Subject: [linux-security] sliplogin Anyone running a version of sliplogin older than sliplogin-2.1.0 (which can be gotten from sunsite.unc.edu:/pub/Linux/system/Network/serial or ftp.uk.linux.org:/pub/linux/Networking/transports) should remove it or upgrade it immediately. It does setuid(0); if (s = system(logincmd)) { : } without clearing the environment first. Therefore, anybody can get root trivially. The sliplogin from NetKit-B-0.06 is affected. Current RedHat sliplogin is not affected. Others I don't know about. -- - David A. Holland | Number of words in the English language that dholland@hcs.harvard.edu | exist because of typos or misreadings: 381 --------------195BD4DC75D367FCB4963--