[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

(Linux) security hole



Hi all,

Though this bug is an old one, it is still applicable to at least
Red Hat 4.0 on Intel and ALPHA, and probably other distributions. It may
even extend to other Unix implementations as well, although we have not
tested them (at all or thoroughly).

Create a user with user id 65536. When logging in as this user, running
the id command will yield root (in other words, there are only 16 bits in
a uid). /etc/securetty and ftp restrictions are bypassed when connecting
through the net. The 'r' commands may allow access or not, this appear to 
be implementation dependend.

Does this 'feature' apply to other platforms/Unix versions as well?

[mod: We try not to publish old stuff. On the other hand, as a
reminder to "younger" people I think a single message about an older
issue could be warranted. I DON"T want any discussion about this
"problem". This is just a statement of fact. OK?

Traditionally Unix systems use 16 bit numbers to represent uids. This
leads to the observed behaviour. Wether or not the "r" commands and
deamons use a 16 bit uid (and consider this uid == 0) or incorrectly use
a 32 bit uid is an implementation question, and will differ from 
system to system. -- REW]


Arthur Donkers
Le Reseau
arthur reseau nl

Arjan Vos
KPMG EDP Auditors
avos kpmg nl        (work)
arjan pino demon nl (private)



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]