Re: Cobalt root exploit

From: John Fraizer (John.Fraizerat_private)
Date: Fri Feb 26 1999 - 03:30:15 PST

Next message: Ansar Mohammed: "Spam with trojan horse installed"

Previous message: John Fraizer: "Re: Cobalt root exploit"
Maybe in reply to: Patrick Oonk: "Cobalt root exploit"
Next in thread: Illuminatus Primus: "Re: Cobalt root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The patch released by Cobalt appears to only remove the current
.bash_history file.  It does not change the name, location or permissions
of the file.

RaQ configuration:

Cobalt OS Patch (2700R)Release 2.0
Cobalt OS Release 3.0
FrontPage98 Server Extensions Release 3.0
Shell History Patch Release 1.0


[root@raq admin]# pwd
/home/sites/home/users/admin

[root@raq admin]# ls -al
total 58
drwxrwxr-x   5 httpd    home         1024 Feb 26 06:08 .
drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
-rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
drwx------   2 httpd    home         1024 Feb 13 02:01 mail

[root@raq admin]# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Cobalt Linux release 3.0 (Fargo)
Kernel 2.0.34 on a mips

login: admin
Password:
Last login: Fri Feb 26 06:07:42 from localhost

[admin@raq admin]$ ls -al
total 58
drwxrwxr-x   5 httpd    home         1024 Feb 26 06:08 .
drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
-rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
drwx------   2 httpd    home         1024 Feb 13 02:01 mail

[admin@raq admin]# exit

[root@raq admin]# ls -al
total 59
drwxrwxr-x   5 httpd    home         1024 Feb 26 06:13 .
drwxrwxr-x   3 httpd    home         1024 Jan 12 18:31 ..
-rw-r--r--   1 admin    users          12 Feb 26 06:13 .bash_history
-rw-rw-r--   1 httpd    home         5758 Jan 12 18:31 index.html
drwx------   2 httpd    home         1024 Feb 13 02:01 mail
[root@raq admin]#


The .bash_history file is still created even after the Shell History Patch
Release 1.0 is applied to the RaQ and is still world readable.

And of course, what post to BUGTRAQ would be complete without a fix?

The Fix:

Add the following lines to /etc/profile

touch $HISTFILE
chmod 600 $HISTFILE


For the really paranoid, place the following line before the touch command:

HISTFILE=~/.some.other.name



------------------------------------------------------------------
ML.ORG is gone.  Check out http://www.EZ-IP.Net - It's *FREE*
------------------------------------------------------------------
Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com
------------------------------------------------------------------
John Fraizer                      |    __   _                 |
The System Administrator          |   / /  (_)__  __ ____  __ | The choice
mailto:John.Fraizerat_private |  / /__/ / _ \/ // /\ \/ / |  of a GNU
http://www.EnterZone.Net/         | /____/_/_//_/\_,_/ /_/\_\ | Generation
PGP Key fingerprint =  7DB6 1CA2 DAA6 43DA 3AAF  44CD 258C 3D7E B425 81A8

Next message: Ansar Mohammed: "Spam with trojan horse installed"
Previous message: John Fraizer: "Re: Cobalt root exploit"
Maybe in reply to: Patrick Oonk: "Cobalt root exploit"
Next in thread: Illuminatus Primus: "Re: Cobalt root exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:45 PDT