200 messages in org.freebsd.freebsd-securityRe: security hole in FreeBSD| From | Sent On | Attachments |
|---|---|---|
| Vincent Poy | Jul 28, 1997 3:19 am | |
| Nicole H. | Jul 28, 1997 3:22 am | |
| Vincent Poy | Jul 28, 1997 4:39 am | |
| Robert Watson | Jul 28, 1997 5:36 am | |
| Nicole H. | Jul 28, 1997 5:40 am | |
| Eric Feillant | Jul 28, 1997 5:41 am | |
| David Holland | Jul 28, 1997 6:12 am | |
| Nicole H. | Jul 28, 1997 6:15 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 6:22 am | |
| Tomasz Dudziak | Jul 28, 1997 6:29 am | |
| Adam Shostack | Jul 28, 1997 6:39 am | |
| Guido van Rooij | Jul 28, 1997 6:52 am | |
| Garrett Wollman | Jul 28, 1997 7:04 am | |
| Robert Watson | Jul 28, 1997 7:56 am | |
| Robert Watson | Jul 28, 1997 7:59 am | |
| Ollivier Robert | Jul 28, 1997 8:16 am | |
| Robert Watson | Jul 28, 1997 8:48 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 8:50 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 8:54 am | |
| Rodney W. Grimes | Jul 28, 1997 8:55 am | |
| Adam Shostack | Jul 28, 1997 9:04 am | |
| Robert Watson | Jul 28, 1997 10:08 am | |
| Rodney W. Grimes | Jul 28, 1997 10:26 am | |
| Vincent Poy | Jul 28, 1997 10:59 am | |
| Vincent Poy | Jul 28, 1997 11:23 am | |
| Vincent Poy | Jul 28, 1997 11:27 am | |
| David Langford | Jul 28, 1997 11:30 am | |
| Vincent Poy | Jul 28, 1997 11:31 am | |
| Robert Watson | Jul 28, 1997 11:33 am | |
| Robert Watson | Jul 28, 1997 11:44 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:46 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:48 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:49 am | |
| Vincent Poy | Jul 28, 1997 12:29 pm | |
| Robert Watson | Jul 28, 1997 12:29 pm | |
| Vincent Poy | Jul 28, 1997 12:38 pm | |
| Vincent Poy | Jul 28, 1997 12:48 pm | |
| Vincent Poy | Jul 28, 1997 12:54 pm | |
| Vincent Poy | Jul 28, 1997 12:56 pm | |
| Adam Shostack | Jul 28, 1997 1:04 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:15 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:16 pm | |
| Robert Watson | Jul 28, 1997 1:45 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:47 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:51 pm | |
| Robert Watson | Jul 28, 1997 1:54 pm | |
| Nate Williams | Jul 28, 1997 2:00 pm | |
| Ollivier Robert | Jul 28, 1997 2:07 pm | |
| Matthew N. Dodd | Jul 28, 1997 2:14 pm | |
| Karl Denninger | Jul 28, 1997 2:42 pm | |
| Vincent Poy | Jul 28, 1997 2:43 pm | |
| Vincent Poy | Jul 28, 1997 3:01 pm | |
| Vincent Poy | Jul 28, 1997 3:06 pm | |
| 147 later messages | ||
| Subject: | Re: security hole in FreeBSD | |
|---|---|---|
| From: | Vincent Poy (vin...@mail.MCESTATE.COM) | |
| Date: | Jul 28, 1997 4:39:06 am | |
| List: | org.freebsd.freebsd-security | |
On Mon, 28 Jul 1997, Tomasz Dudziak wrote:
=)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> Greetings, =)> =)> We're had a hacker on two of our FreeBSD -current machines who =)> hacked the machine as root. =)> =)> The symptoms are as follows: =)> 1) User on mercury machine complained about perl5 not working which was =)> perl5.003 since libmalloc lib it was linked to was missing. =)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 =)> and it works. =)> 3) User hacks earth when he doesn't even have a account on the machine =)> and can login to the machine remotely as root when rlogin and telnet =)> wouldn't allow it. =)> 4) User is invisible in w, finger, who, users and can only be seen using =)> ps -agux on a pty so I killed the process. =)> 5) User changes hostnames even in a netstat output so it's all garbage =)> 6) We went to inetd.conf and shut off all daemons except telnetd and =)> rebooted and user still can get onto the machine invisibly. =)> 7) User shuts down the machine and changes root password =)> =)> Saw the user on irc posting the password of earth with the login =)> name root. Any ideas? =) =)Well it is possible that he has recompiled /usr/bin/login for example. =)Something like: =)if(strcmp(username, "blahblah")==0) =){ =)setuid(0); =)setgid(0); =)system("/bin/sh"); =)} =)inserted does the job. You are then invisible to w and others... bot not =)netstat i think...
He wasn't invisible to netstat but he did do something that faked the hostname even in netstat.
=)There was a security hole some time ago in perl that allowed local users =)to gain root access... That's probably the way he got root access... =)I would check my binaries, sup and recompile.
Hmmm, I supped the perl from the most recent ports tree and also all the binaries are about 2 months old from the -current tree. I thought the security hole was way before that. What I didn't get is how did he get access to the second system (earth) when he doesn't have a account there in the first place?
Cheers, Vince - vin...@MCESTATE.COM - vin...@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]