Xref: utzoo news.sysadmin:1840 comp.unix.wizards:13215
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!gloom!cory
From: cory@gloom.UUCP (Cory Kempf)
Newsgroups: news.sysadmin,comp.unix.wizards
Subject: Re: Trojan horse possible with news readers
Summary: How to break in with mail/news to root...
Message-ID: <229@gloom.UUCP>
Date: 6 Dec 88 15:39:03 GMT
References: <6775@rosevax.Rosemount.COM>
Organization: Alloy Computer Products, Framingham, Mass.
Lines: 30

a few days ago, I posted an article in which I implied that it would
be possible to get root access to a machine just by sending mail or
posting an article that was replied to.  This article wasn't supposed
to make it out, but it did anyway.  (damned cancel didn't work)

Anyway, a number of people have written asking how this worked.

the Sysadmin, while not root (UID=user) read news/mail and replies.
the default editor is vi.  The last few lines of the letter/article
contain lines of the sort <:>cmd<:>.  The last of these lines
causes all lines beginning with <:> to be deleted.  The rest
create/modify the .exrc file in the CURRENT working directory (if
write access is allowed) to probe for write access to /etc/passwd,
and if it is allowed, include a line like 
"suser::0:0:Super User:/:/bin/csh"
into the /etc/passwd file.  So, when the Sysadmin su's to root, 
and then executes vi, vi looks in the CURRENT working directory for
a file named .exrc, and executes that.

And that is how the vi's modelines bug can be exploited to give root
access even if you never read news/mail as root (nb: instead of modifyin
the /etc/passwd file, it could just check the UID, and if it is 0 do
an 'rm -rf / &'

+C

-- 
Cory (the last person to escape alive from riverside) Kempf
UUCP: encore.com!gloom!cory
	"...it's a mistake in the making."	-KT