[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] POSSIBLE MAJOR SECURITY BREACH
- Subject: [cobalt-security] POSSIBLE MAJOR SECURITY BREACH
- From: Barbara <thebizworkers@xxxxxxxxx>
- Date: Fri, 8 Feb 2002 17:12:47 -0800 (PST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>I never said the restore CDs were doing it. I
>don't know that they are. I don't think they are.
>I originally thought it was the latest kernel
>patches or the latest updates, but I'm not sure
>now. An associate tells me he thinks it's just
>RUNNING CMU. We don't know yet. Everything else
>is premature.
I know what did it, it's that damn Neomail program!
It's the same damn issue that I fumbled onto back in
Nov when it became clear that Neomail v1.2.3 (the
first or second release of the pkg) was changing
suidperl so it had the S bit set on the file (which
was exploitable by the P-trace bug):
-rws--x--x 2 root root 517916 Apr 6 1999 suidperl
http://list.cobalt.com/pipermail/cobalt-users/2001-November/056752.html
I bet you ANYTHING it's that damn Neomail program that
changed these permissions... And if that's the case,
then there's literally hundreds (or more) of RaQ users
who's shadow passwd file has been changed to the same
ugly permissions!
The two RaQ3's that I mentioned reinstalled back in
Feb last year (after the BIND hack), they both had the
first or second release of Neomail installed off
http://pkg.nl.cobalt.com/.
-rw-r--r-- 1 root root 3230 Feb 4 22:39 shadow
-rw-r--r-- 1 root root 3274 Feb 4 22:38 shadow-
While the third RaQ I just setup (with a fresh OS
install) has only had the newest release of Neomail
installed (1.2.5 or something), and it has (had) the
following permissions on shadow:
-rw-r--r-- 1 root root 1931 Jan 25 17:48 shadow
-r-------- 1 root root 1931 Jan 12 00:52 shadow-
I changed those puppys on all my machines back to 400
and have started changing passwords - but I'm telling
you guys, it's Neomail. I'll bet there's a good number
of users who installed earlier versions of the program
(as I had) and have some VERY UGLY permissions set on
their shadow password files...
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com