[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Another Local root exploit (interbase)

Subject: Re: [cobalt-security] Another Local root exploit (interbase)
From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
Date: Fri, 27 Sep 2002 12:28:58 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Doh, I forgot to read about it, I was expecting it to just return a root
shell on execution, not reboot


Dave Smulsky
Senior Network Admin

dave@xxxxxxxxxxxxxxxx
www.thehostworks.com
----- Original Message -----
From: "Fragga" <fragga@xxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, September 27, 2002 12:10 PM
Subject: Re: [cobalt-security] Another Local root exploit (interbase)


lol i`ve no idea man.

I figured you might know what you were doing before you executed it ? oops.

errm.... well it looks like it modifes xinetd so this shell gets binded to
666 on startup,
so take a peek in /etc/inetd.d and you should find something in there ?

anyone else run a raq 550 who coudl advise of anything else he might need to
check ?

fragga

----- Original Message -----
From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, September 27, 2002 10:47 AM
Subject: Re: [cobalt-security] Another Local root exploit (interbase)


> Before I forget, how do I get rid of this rootshell IF it has worked? I
dont
> plan on rebooting, but would like to asure myself that it wont be there
> _WHEN_ i do :P
>
>
> Dave Smulsky
> Senior Network Admin
>
> dave@xxxxxxxxxxxxxxxx
> www.thehostworks.com
> ----- Original Message -----
> From: "Fragga" <fragga@xxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Friday, September 27, 2002 11:13 AM
> Subject: Re: [cobalt-security] Another Local root exploit (interbase)
>
>
> Did you read the source code ?
>
> <snip>
> /* check for a rootshell on port 666 after the machine has rebooted.
>  * exploit written to work on a raq550 using xinetd
>  */
> </snip>
>
> This exploits works upon reboot . You better check this as
> the next time you do a reboot if this exploit /has/ worked when it
> boots there will be a root shell binded to port 666
>
> fragga
>
> ----- Original Message -----
> From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Friday, September 27, 2002 9:29 AM
> Subject: Re: [cobalt-security] Another Local root exploit (interbase)
>
>
> > nah, i wasnt going to go out of my way and reboot
> >
> > Dave Smulsky
> > Senior Network Admin
> >
> > dave@xxxxxxxxxxxxxxxx
> > www.thehostworks.com
> > ----- Original Message -----
> > From: "Fragga" <fragga@xxxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Sent: Friday, September 27, 2002 10:02 AM
> > Subject: Re: [cobalt-security] Another Local root exploit (interbase)
> >
> >
> > maybe although its just a setuid binary, did u reboot machine and are u
> > using  xinetd ?
> >
> > fragga
> >
> > ----- Original Message -----
> > From: "David Smulsky" <dave@xxxxxxxxxxxxxxxx>
> > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > Sent: Friday, September 27, 2002 6:55 AM
> > Subject: Re: [cobalt-security] Another Local root exploit (interbase)
> >
> >
> > > maybe you need to have interbase working and running?? i didnt
> > >
> > > dave
> > > ----- Original Message -----
> > > From: "Fragga" <fragga@xxxxxxxxxxxx>
> > > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > > Sent: Friday, September 27, 2002 6:10 AM
> > > Subject: Re: [cobalt-security] Another Local root exploit (interbase)
> > >
> > >
> > > > right well its wrote to work on a raq550 as it says in the source..
> > > >
> > > > any raq 550 people who coudl test it ?
> > > >
> > > > ----- Original Message -----
> > > > From: "Rene Luria" <operator@xxxxxxxxxxxxx>
> > > > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > > > Sent: Friday, September 27, 2002 4:58 AM
> > > > Subject: Re: [cobalt-security] Another Local root exploit
(interbase)
> > > >
> > > >
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > raq4
> > > > > On Friday 27 September 2002 11:35, Fragga wrote:
> > > > > > ok thanks.
> > > > > >
> > > > > > what Raq(s) did u test it on ?
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Rene Luria" <operator@xxxxxxxxxxxxx>
> > > > > > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > > > > > Sent: Friday, September 27, 2002 4:16 AM
> > > > > > Subject: Re: [cobalt-security] Another Local root exploit
> > (interbase)
> > > > > >
> > > > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > > > Hash: SHA1
> > > > > > >
> > > > > > > Nope, it doesn't.
> > > > > > >
> > > > > > > On Friday 27 September 2002 11:04, Fragga wrote:
> > > > > > > > yeah i posted it before but no-one replied.
> > > > > > > >
> > > > > > > > im not sure it if it works. can anyone on here test it ?
> > > > > > > >
> > > > > > > > fragga
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Brett Wright" <brett@xxxxxxxxxxxxx>
> > > > > > > > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > > > > > > > Sent: Thursday, September 26, 2002 8:11 PM
> > > > > > > > Subject: [cobalt-security] Another Local root exploit
> > (interbase)
> > > > > > > >
> > > > > > > > > Hey All
> > > > > > > > >
> > > > > > > > > I haven't tried this but
> > > > > > > > >
> > > > > > > > > http://www.securiteam.com/exploits/5RP0P1P8AI.html
> > > > > > > > >
> > > > > > > > > Sorry if it has already been posted.
> > > > > > > > >
> > > > > > > > > Regards
> > > > > > > > > Brett
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > cobalt-security mailing list
> > > > > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > cobalt-security mailing list
> > > > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > > > >
> > > > > > > - --
> > > > > > > Rene Luria <operator@xxxxxxxxxxxxx>
> > > > > > > Unix Administrator - Infomaniak Network SA
> > > > > > > PGP key DFE5C340 at keyserver.pgp.com
> > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > Version: GnuPG v1.0.7 (GNU/Linux)
> > > > > > >
> > > > > > >
iD8DBQE9lCHxJ1jvMN/lw0ARAou/AKDe8ZpCBAGr0qPB9fk9uoSfnveUpACgs8dc
> > > > > > > KFAGFeCbi9pnF2uOkScZm4w=
> > > > > > > =ozi/
> > > > > > > -----END PGP SIGNATURE-----
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > cobalt-security mailing list
> > > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > > >
> > > > > > _______________________________________________
> > > > > > cobalt-security mailing list
> > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > >
> > > > > - --
> > > > > Rene Luria <operator@xxxxxxxxxxxxx>
> > > > > Unix Administrator - Infomaniak Network SA
> > > > > PGP key DFE5C340 at keyserver.pgp.com
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG v1.0.7 (GNU/Linux)
> > > > >
> > > > > iD8DBQE9lCu6J1jvMN/lw0ARAm7AAJ0aSBgaLDDjIRBTBHe+6pZjieL/QwCeOUOC
> > > > > mVDTMHACnZP218tAfrpIsYY=
> > > > > =wzA3
> > > > > -----END PGP SIGNATURE-----
> > > > >
> > > > > _______________________________________________
> > > > > cobalt-security mailing list
> > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > >
> > > >
> > > > _______________________________________________
> > > > cobalt-security mailing list
> > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > >
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- [cobalt-security] Raq3 Hacked
  - From: e13372002
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Rene Luria
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Fragga
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Rene Luria
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Fragga
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: David Smulsky
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Fragga
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: David Smulsky
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Fragga
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: David Smulsky
- Re: [cobalt-security] Another Local root exploit (interbase)
  - From: Fragga

Prev by Date: [cobalt-security] I dont Have Hosting Sun Cobalt Raq550 :(
Next by Date: [cobalt-security] I dont Have Hosting Sun Cobalt Raq550 :(
Previous by thread: Re: [cobalt-security] I dont Have Hosting Sun Cobalt Raq550 :(
Next by thread: Re: [cobalt-security] Another Local root exploit (interbase)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index