erict@flatline.UUCP (j eric townsend) (07/25/88)
Well, I found another one. Doesn't surprise me though. :-)
It's even more nefarious, and the user doesn't have to change
*anything* to get a id=0,gid=0 shell!
If you have the "Toybox" installed, and a game that lets you
escape to shell, odds are you have a root shell. I did this
with a game in my Toybox.... I checked the toybox file, and
noticed that *all* the games were run:
Run=EXEC -pwd /usr/games/nameofgame
Each game is run from a root shell. Any game that lets you escape
to sheel will spawn a root shell. I'm going to try modifing it to
see if the games will run w/o root permissions.
Geeze. AT&T is *soooo* bad-ass about their equipment, then they
fuck up like this. They used to charge what, $12k for a 3b1?
Some people may be upset that I posted this security hole. I think
that if people know about it, they can fix it, otherwise you have:
set criminal-types know about hole,
set user-types do not,
criminal-types can use hole to take advantage of user-types.
People interested in breaking into 3b1's probably know about this
one already, so....
--
Motorola Skates on Intel's Head!
J. Eric Townsend ->uunet!nuchat!flatline!erict smail:511Parker#2,Hstn,Tx,77007
..!bellcore!tness1!/