Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!wuarchive!uunet!pilchuck!amc-gw!sumax!polari!tronix
From: tronix@polari.UUCP (David Daniel)
Newsgroups: comp.unix.questions
Subject: Re: What's so special about uudecode?
Message-ID: <3036@polari.UUCP>
Date: 30 Dec 90 08:45:04 GMT
References: <3317@mrsvr.UUCP> <1990Dec29.142017.15454@robobar.co.uk>
Reply-To: tronix@polari.UUCP (David Daniel)
Organization: Seattle Online Public Unix (206) 328-4944
Lines: 22



[]Ha!  I think your vendor has made the *dreadful* error of making
[]uudecode setuid to uucp "for the convenience of decoding received uucp
[]files".  I have seen systems where this is a horrible security hole in
[]that uudecode will allow anyone to make a setuid-to-uucp shell (begin 4755

     [remainder of security hole explanation deleted]


Even
though you've told the net at large and who knows how many BBS's 
around the world exactly how to hack a specific system and possibly 
others I'll make a suggestion:

You should have answered this person via e-mail with a cc to root. I'm 
glad I don't have an account on his system.

-- 
David Daniel (The man with no disclaimer)  tronix@polari.UUCP
"Beware the Truth. If you find a Truth it can demand that you make painful
changes."  - Frank Herbert