lenny@quincy.UUCP (09/23/87)
Security problem #1: Under release 3.5 or more. Send mail to yourself on 3B1, wait for the <MAIL ENVELOPE> icon and then press either <MSG> or point to it with mouse and press <B1>. You immediately get thrown into mail, with your message displaying and at the ? prompt type: !sh "Look ma, I'm root!" Security problem #2: A lot of people keep "tutor" with no password and widely distribute their dialup number. Tutor, a non-expert user, can't run the shell?! Or can they? Create a file in the Filecabinet, editor either "vi" or "ed" and do a ":!sh" in vi or "!sh" in ed, and wha-la! Security problem #3: Mail setup... UUCP phone numbers and passwords in the L.sys file are normally protected so that NON-SUPERUSER people cannot hack them! Go into mail setup (any user... even Tutor) and you can get all the necessary hacking information! Bad!!!! Any others would be appreciated!! -Lenny -- Lenny Tropiano ...seismo!uunet!swlabs!godfre!quincy!lenny -or- American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or- 1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny
sean@killer.UUCP (09/24/87)
In article <54@quincy.UUCP>, lenny@quincy.UUCP (Lenny Tropiano) writes: > Security problem #2: > > A lot of people keep "tutor" with no password and widely distribute their > dialup number. Tutor, a non-expert user, can't run the shell?! Or can they? > Create a file in the Filecabinet, editor either "vi" or "ed" and do a ":!sh" > in vi or "!sh" in ed, and wha-la! > This one's easy: assign tutor a password! :-) There is also another way for tutor to get a shell. While in Office of tutor the user has only to type /bin/sh or /bin/ksh, and the User Agent will run the shell. This works for ANY user not having "EXPERT" status. The pass- word solution will keep unwanted folks from getting in as tutor, but I dunno how one would prevent this security problem once tutor has logged in success- fully. > Security problem #3: > > Mail setup... UUCP phone numbers and passwords in the L.sys file are normally > protected so that NON-SUPERUSER people cannot hack them! Go into mail setup > (any user...even Tutor) and you can get all the necessary hacking information! My solution here was to edit /usr/lib/ua/Administration. Remove any entries from this file that you don't want everyone using, and put them in the install login's personal Administration file (/u/install/Administration). In fact, the only things I left in /usr/lib/ua/Administration are "Changing Password" and "System Information"; I moved the rest to install's Administra- tion. As an extra measure of security on L.sys (or Systems, as the case may be) I set the permissions to 640. If you do this you'll have to change the file's group to mail, so that the AT&T Electronic Mail software can read it. Sean