phased had some comments he wanted me to forward on to the lists in
regards to his latest exploit.
He says that skeys are used via all authentication methods... i.e telnet, so
someone could change the user to someone in the wheel group. Haven't used
skeys via ssh yet but I presume it works. Root obviously can't just telnet
in by default but usually can ssh, but if the box being exploited contains
people in the wheel group you can change the root user in the exploit to any
user to log in via skeys as that user.
-sert-
That file you've been guarding, isn't.
-------------------------------------------------------------------
______________________________
/ _____/\______ \__ ___/ | Secure Network Operations
\_____ \ | _/ | | | http://www.snosoft.com
/ \ | | \ | | | reconat_private
/_______ / |____|_ / |____| |
\/ \/ | Project Cerebrum
Strategic Reconnaissance Team | cerebrumat_private
---------- Forwarded message ----------
Date: Wed, 24 Apr 2002 03:33:15 +0400
From: James Green <phasedat_private>
To: reconat_private
Subject: the iosmash.c exploit
in the comments i used su to gain root, someone needs to post to bugtraq
that skeys is used via all auth methods, i.e. telnet so you could change
the user to someone in wheel, havent used skeys via ssh but i presume it
works. root isnt allowed to telnet default but usually can ssh, but if the
box has people in the wheel group you can change the root to any user in the
exploit to log in via skeys as that user. btw dont forward this post can i
had some beers tonight heh :) put it in better english lol
phased
phasedat_private
-------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 14:15:28 PDT