Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!gatech!purdue!haven!umd5!lewhoosh.umd.edu!matthews
From: matthews@lewhoosh.umd.edu (Mike Matthews)
Newsgroups: comp.sys.next
Subject: Re: Ejecting the floppy
Message-ID: <7902@umd5.umd.edu>
Date: 25 Jan 91 15:03:44 GMT
References: <10365@pasteur.Berkeley.EDU> <7887@umd5.umd.edu> <10415@pasteur.Berkeley.EDU>
Sender: news@umd5.umd.edu
Distribution: usa
Organization: Computer Science Center, University of Maryland, College Park
Lines: 24

In article <10415@pasteur.Berkeley.EDU> carlton@aldebaran.berkeley.edu (Mike Carlton) writes:
>Would you care to give a little more detail on the security hole?  
>Obviously if someone obtains write access to a suid script you've
>got big problems.  But if they can get access to a root owned, 4755
>file, then you're already got problems because there are plenty of those
>on the disk already.  Or is there something else to worry about?

I haven't tried this personally, heard it on comp.unix.admin I think.

Try making a link to that suid script.  Then run it with nice +64.  After a
second or two, recreate the link to whatever you want to do.  It will have
already gotten the suid bit, so whatever you relink to will run as root.

That thing can be anything you wish, running as root...

Come to think of it, that'll work for anything.  Hmm.  Maybe I'm mistaken.
Can anyone verify this?

>Mike Carlton	carlton@cs.berkeley.edu
------
Mike Matthews, matthews@lewhoosh.umd.edu (NeXT)/matthews@umdd (bitnet)
------
"The Street finds its own uses for technology."
-- William Gibson