[TUHS] Recovered /etc/passwd files
krewat at kilonet.net
Wed Oct 9 04:51:28 AEST 2019
Slightly off-topic, but still UUCP related. If a SunOS box NFS exported
/, and I could mount /, even without root NFS access, using the uucp
user, I could overwrite uucico because it was owned by uucp. The entry
in inetd.conf would automatically run uucico as root. Telnet to the box
on that port, and it would happily run whatever I put in the uucico file.
On 10/8/2019 2:38 PM, Norman Wilson wrote:
> Back in the heyday of uucp, some sites were lazy and allowed
> uucico access to any file in the file system (that was accessible
> to the uucp user). A common ploy for white hats and black hats
> was to try
> uucp remotesys!/etc/passwd ~/remotesys
> or the like, and see what came in and whether it had any easy
> hashes (shadow password files didn't quite exist yet).
> The system known to the uucp world as research! was more
> careful: / was mapped to /usr/spool/uucp. We left a phony
> etc/passwd file there, containing plausible-looking entries
> with hashes that, if cracked, spelled out
> I don't remember whether anyone ever stole it by uucp, though
> I think Bill Cheswick used it to set up the phony system
> environment for Berferd to play in (Google for `cheswick berferd'
> if you don't know the story).
> Norman Wilson
> Toronto ON
More information about the TUHS