mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Wietse Venema <wietse () PORCUPINE ORG>
Date: Fri, 19 Jan 2001 13:02:45 -0500
On Thu, Jan 18, 2001 at 11:57:12PM +0100, Konrad Rieck wrote:
cu is only set setuid for the owner uucp and an attacker won't gain any
special privileges, but he would gain access to the files in /etc/uucp.
Michael H. Warfield:
Correction... He does gain special privileges. He gains access
to all the uucp control files which can contain account names and passwords
on other systems. It ain't root, but it's more than what he should have.
It is worse than that. Once UUCP privilege is gained you can replace
the UUCP executables. That gives you full control over any user that
happens to execute those UUCP executables - a root-owned cron job,
a sendmail.cf mailer rule that executes as daemon, and so on.