Trojan horse possible with news readers
Cory Kempf
cory at gloom.UUCP
Wed Dec 7 01:39:03 AEST 1988
a few days ago, I posted an article in which I implied that it would
be possible to get root access to a machine just by sending mail or
posting an article that was replied to. This article wasn't supposed
to make it out, but it did anyway. (damned cancel didn't work)
Anyway, a number of people have written asking how this worked.
the Sysadmin, while not root (UID=user) read news/mail and replies.
the default editor is vi. The last few lines of the letter/article
contain lines of the sort <e><x><:>cmd<:>. The last of these lines
causes all lines beginning with <e><x><:> to be deleted. The rest
create/modify the .exrc file in the CURRENT working directory (if
write access is allowed) to probe for write access to /etc/passwd,
and if it is allowed, include a line like
"suser::0:0:Super User:/:/bin/csh"
into the /etc/passwd file. So, when the Sysadmin su's to root,
and then executes vi, vi looks in the CURRENT working directory for
a file named .exrc, and executes that.
And that is how the vi's modelines bug can be exploited to give root
access even if you never read news/mail as root (nb: instead of modifyin
the /etc/passwd file, it could just check the UID, and if it is 0 do
an 'rm -rf / &'
+C
--
Cory (the last person to escape alive from riverside) Kempf
UUCP: encore.com!gloom!cory
"...it's a mistake in the making." -KT
More information about the Comp.unix.wizards
mailing list