On 10/8/2019 5:02 PM, Dave Horsfall wrote:
On Tue, 8 Oct 2019, Arthur Krewat wrote:
Slightly off-topic, but still UUCP related. If a
SunOS box NFS
exported /, and I could mount /, even without root NFS access, using
the uucp user, I could overwrite uucico because it was owned by uucp.
The entry in inetd.conf would automatically run uucico as root.
Telnet to the box on that port, and it would happily run whatever I
put in the uucico file.
Bad joo-joo.
*Cough cough* I remember that *cough cough*...
cough cough back at you, sir ;)
Unix systems in those days were broken in subtle ways; we once broke
into a Gould (marketed as the most secure box on the planet[*]) by
social-engineering a marketoid (we tricked him into running a custom
"ls" or something). "Thank you Sir, and we've just broken into your
Gould; there's the root prompt".
I was able to social-engineer an operator a few times on TOPS-10 systems
back in the day to reset passwords, or mount disks. "Can you give me a
list of disks you have ready to mount?" - "blah blah blah" - "OK,
mount
pack BLARG".
But then, one time, I was talking to an "operator" for a while before I
realized it was an ELIZA-like program that kept going back around in a
loop. Trying to be suave, I started it by asking how they were doing,
and got all sorts of weird responses.
At some point, realizing I was talking to a bot, I said: "I feel bad" -
and it replied something to the effect of "Can you explain why you feel
bad?". Typical ELIZA response ;)
Someone at that university had a sense of humor, that's for sure. Broke
into it anyway guessing passwords.
ak