Path: utzoo!mnetor!uunet!munnari!otc!metro!ipso!runx!avenger
From: avenger@runx.ips.oz (Troy Rollo )
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <1458@runx.ips.oz>
Date: 5 Apr 88 10:15:48 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP> <7521@ncoast.UUCP> <130@heart-of-gold> <4209@ihlpf.ATT.COM>
Organization: RUNX Un*x Timeshare.  Sydney, Australia.
Lines: 42


>.
>.drwxrwxr-x 21 jc       wheel        2560 Mar 24 08:30 .
>.-rw-r--r--  2 jc       wheel         250 Jan 29 14:53 .login
>.
>.And here's the rnews command:
>.
>.22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews   
>.
>.Explain to me how someone could use this setuid-news, setgid-news program
>.to write into my .login file.  Now need to explain further; I do appreciate
>.why I wouldn't want you to do that.  But I don't quite see how this setup
>.makes it possible.
>
>It is not possible for someone to *directly* abuse this to write to your
>(uid=jc, gid=wheel) .login file.  However, someone may be able to abuse
>rnews and become uid=news, gid=news.  They would then have access to all of
>news's files.  This is where the security break is.

	Once a user has broken through the news uid and gid they can
	modify rnews. The hacker copies the genuine version to another
	place, then creates his own program which sets its effective
	user and group IDs back to the real user and group IDs. The
	program then creates a new file on another directory under your
	uid and gid with the mode 6777 (setuid, setgid, rwx for all).
	Later another program can be copied over it. Alternatively that
	program can be placed in the file by the bogus rnews.
	
	The new rnews then goes on to execute the real rnews, so the
	person who runs rnews will be completely unaware of what
	has happened.

	Voila... the hacker has your user and group IDs 
	and can modify your .login or anything else.

	BTW. I have broken through news programs with setuid
	and setgid on two occasions, which illustrates the
	fact that it is difficult to be certain about any
	setuid, setgid program.

	----------------------------------------------------------------
Internet: avenger@runx.ips.oz.au	Founder of the League of
UUCP: uunet!runx.ips.oz.au!avenger	Computer Criminals