[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RaQFuCK
- Subject: Re: [cobalt-security] RaQFuCK
- From: Jay Summers <jay@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Oct 2002 08:41:58 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>> Does anyone know of a fix, or if any of the recent Cobalt/SUN patches
>> addressed the RaQFuCK hack that grabs access from /usr/lib/authenticate and
>> opens a shell..? I just discovered a user who recently found, and apparently
>> tried to execute this hack/script on my RaQ4 (found scraps of the script and
>> the gmon.out file on the system).. I don't permit shell access, and I'm not
>> sure if they managed to get a shell with the script, and franky I'm not
>> interested in trying the script on my only RaQ4 which is in production - but
>> I'll be a little hot under the collar if I discover this user got a shell and
>> this issue hasn't been patched/addressed in any of the recent patches.. This
>> exploit has been in the wild for at -least- 3 months already.. Has this been
>> addressed/fixed if the RaQ4 is fully patched..? Thanks!
>>
> This patch
>
> http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0.1-2-1578
> 7.pkg
>
> is supposed to fix the issue among other things. Or, on September 25 I posted
> instructions on how to fix the problem by hand:
>
> http://list.cobalt.com/pipermail/cobalt-security/2002-September/006327.html
IIRC, the hack doesn't really do anything until you reboot the machine. If
the script has been executed, you definitely ought to go through the machine
with a fine toothed comb.
HTH,
j
--
http://www.bizmanuals.com