Subject: Re: Removing dm(1)
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Curt Sampson <cjs@portal.ca>
List: tech-security
Date: 11/18/1997 10:37:26
On Tue, 18 Nov 1997, Jason Thorpe wrote:

> Care to explain this in real detail?  How does the fact that a program
> runs setuid "games" (which gives it permission to write high scores
> files, among other things) allow me to access the account of any user
> that runs a game?

This was already explained in detail. Set your screen height to 25
or less, run /usr/games/fish, ask for instructions, and then spawn
a subshell from the more(1) that displays the instructions. You
are now the games user, and can replace any game you like with a
trojan with the same functionality, but that also squirrels away
a copy of /bin/sh suid to user running it, or does whatever else
you like as that user running it. Do this with fortune(6), for
example, and you nail some users (such as me) every time they log in.

cjs

Curt Sampson    cjs@portal.ca	   Info at http://www.portal.ca/
Internet Portal Services, Inc.	   Through infinite myst, software reverberates
Vancouver, BC  (604) 257-9400	   In code possess'd of invisible folly.