The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #21 1989-05-18 (1 file, 1611 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/121.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Thu, 18 May 89 14:59:47 PDT
Subject: Security Digest V1 #21

Security Digest Volume 1 Issue 21

subject(s):

            Re:  Security Digest V1 #20
            Re: SERIOUS bug in 3B2/500's and above
            how to get articles from CCR

------------------------------------------------------------------------

Date: Wed, 10 May 89 18:01:27 PDT
From: vsi!friedl
Subject: Re:  Security Digest V1 #20

> The hole [the /etc/prtconf.d bug] is real and the problem occurs
> on *ALL* 3B2s in *ALL* os releases with scsi disks and tape...

This has not been my experience.  I believe the /tmp/scsi file is
created only for SCSI disk devices and specifically not for tape
drives, so these machines are immune.  We run a 3B2/400 with an
auxillary 60MB tape drive and I can't even crack my own machine :-(.

------------------------------------------------------------------------

Date: Tue, 9 May 89 13:39:44 EDT
From: Ian Darwin <uunet!sq.sq.com!ian>
Subject: Re: SERIOUS bug in 3B2/500's and above

>...  I have discovered a major
>bug that will allow any user on any 3B2 computer with SCSI disk
>drives (that's all 3B2/500s and above, plus the smaller models
>that have added this option) to become root in about a minute if
>you type slow.

On our system, a 3B2/500 with SVR3 (uname reports 3.1.1 3 3B2)
the prtconf.d/scsi program is NOT setuid, and in fact is not
even executable by non-root users:
-r-xr-xr--   1 root     root       16164 Sep  9  1987 scsi

Chmodding it -s,o-x seems to be a fine solution to the mess.  Neither I nor
my co-sysadmin did this, however, so I presume that either 3.1.1 has it
right in the distribution, or AT&T fixed it in some update that we've
applied.  Either that, or one of our crafty users already exploited this
loophole and then closed it behind himself...

BTW, the mind boggles at the overkill of system("rm foo"); as opposed to
(void) unlink("foo"); it sounds a little like somebody's first (system)
program in C.

------------------------------------------------------------------------

Date: Tue, 09 May 89 08:04:00 -0400
From: Craig Partridge <uunet!NNSC.NSF.NET!craig>
Subject: how to get articles from CCR

How to get articles published in ACM SIGCOMM Computer Communication Review
(including the Bellovin article).

    (1) You can order a copy of the relevant issue from the ACM
    Publications Order Dept.  1-800-342-6626.  Have a credit card
    ready and expect it to take a few weeks.  Bellovin's article
    appears in the April '89 issue.

    (2) You can get someone to copy it for you.  All SIGCOMM
    asks is that, as a courtesy, you put a cover sheet on the
    article indicating it is a reprint from Computer Communication
    Review and that you include the cover sheet in any copies you make.

    (3) Eventually we will get the articles on-line in Postscript,
    but that isn't quite ready yet.

More generally, if you think CCR is of interest to you, you can join
SIGCOMM (the ACM SIG on data communication).  If you are an ACM member
just call ACM and ask them to be added to SIGCOMM (it's free til your
next renewal).  Otherwise, there's an application in the back of each
issue of CCR.

------------------------------------------------------------------------

        End of Security Digest Volume 1 Issue 21
        **********************

END OF DOCUMENT