Shalom, I have verified a problem with "/" permission on AIX versions: 3.2.5.0 , 4.1.4.0 4.2.1.0, and I guess on every version of AIX. The problem is that the owner of "/" is user bin instead of user root. Which means that if one manages to get "bin" permissions he might get root permissions by: > mv -r /etc /etc.old > cp -r /etc.old /etc > echo "yarony::0:0:Yaron:/:/bin/tcsh">> /etc/passwd or something like that. And to get bin permissions one should exploit the current version of sendmail or use mis-configured NFS server, or exploit a buffer overflow in /usr/bin/nslookup (the only suid bin in AIX ,and it suid only in AIX 4.1.5) I have informed AIX about it a month ago. They told me that it doesn't look like this is going to be changed. The reason was that all my ideas about how to get bin permissions were by exploiting mis-configured system. Yours, Yaron. -- Yaron Yanay. email:yaronyat_private , http://yarony.il.eu.org Chief Teaching Assistant - Computer Security (236350) - Technion CS Department Unix Security Supervisor - Computer Center - Haifa University - Israel
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:04 PDT