AIX : "/" is owned by bin.bin

From: Yaron Yanay (yaronyat_private)
Date: Mon Jun 01 1998 - 11:13:29 PDT

Next message: Invisi: "AOL for Windows DoS/Exploit"

Previous message: Chris Evans: "Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd)"
Next in thread: dsiebertat_private: "Re: AIX : "/" is owned by bin.bin"
Reply: dsiebertat_private: "Re: AIX : "/" is owned by bin.bin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Shalom,
        I have verified a problem with "/" permission on AIX versions:
3.2.5.0 , 4.1.4.0 4.2.1.0, and I guess on every version of AIX.

The problem is that the owner of "/" is user bin instead of user root.

Which means that if one manages to get "bin" permissions he might get
root permissions by:

> mv -r /etc /etc.old
> cp -r /etc.old /etc
> echo "yarony::0:0:Yaron:/:/bin/tcsh">> /etc/passwd
or something like that.

And to get bin permissions one should exploit the current version of
sendmail or use mis-configured NFS server, or exploit a buffer overflow in
/usr/bin/nslookup (the only suid bin in AIX ,and it suid only in AIX 4.1.5)

I have informed AIX about it a month ago. They told me that it doesn't
look like this is going to be changed. The reason was that all my ideas
about how to get bin permissions were by exploiting mis-configured system.

Yours,
        Yaron.
--
Yaron Yanay. email:yaronyat_private , http://yarony.il.eu.org
Chief Teaching Assistant - Computer Security (236350) - Technion CS Department
Unix Security Supervisor - Computer Center - Haifa University - Israel

Next message: Invisi: "AOL for Windows DoS/Exploit"
Previous message: Chris Evans: "Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd)"
Next in thread: dsiebertat_private: "Re: AIX : "/" is owned by bin.bin"
Reply: dsiebertat_private: "Re: AIX : "/" is owned by bin.bin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:04 PDT