Xref: utzoo unix-pc.general:1144 comp.sys.att:3836
Path: utzoo!utgpu!water!watmath!uunet!nuchat!flatline!erict
From: erict@flatline.UUCP (j eric townsend)
Newsgroups: unix-pc.general,comp.sys.att
Subject: Great big gaping hole in ua's security
Keywords: Is this one new?
Message-ID: <1188@flatline.UUCP>
Date: 24 Jul 88 21:39:11 GMT
Organization: a flat near the Montrose, Houston, Tx.
Lines: 32




Well, I found another one.  Doesn't surprise me though. :-)
It's even more nefarious, and the user doesn't have to change
*anything* to get a id=0,gid=0 shell!

If you have the "Toybox" installed, and a game that lets you
escape to shell, odds are you have a root shell.  I did this
with a game in my Toybox.... I checked the toybox file, and
noticed that *all* the games were run:

Run=EXEC -pwd /usr/games/nameofgame

Each game is run from a root shell.  Any game that lets you escape
to sheel will spawn a root shell.  I'm going to try modifing it to
see if the games will run w/o root permissions.

Geeze.  AT&T is *soooo* bad-ass about their equipment, then they
fuck up like this.  They used to charge what, $12k for a 3b1?

Some people may be upset that I posted this security hole.  I think
that if people know about it, they can fix it, otherwise you have:
set criminal-types know about hole,
set user-types do not,
criminal-types can use hole to take advantage of user-types.
People interested in breaking into 3b1's probably know about this
one already, so....
-- 
Motorola Skates on Intel's Head!
J. Eric Townsend ->uunet!nuchat!flatline!erict smail:511Parker#2,Hstn,Tx,77007
             ..!bellcore!tness1!/