What's so special about uudecode?

Ronald S H Khoo ronald at robobar.co.uk
Mon Dec 31 12:08:16 AEST 1990


[ this really wants to go to alt.security.d, but seeing as it doesn't exist,
  I've redirected to alt.security.  Sorry folx ]

tronix at polari.UUCP (David Daniel) writes:

>      [remainder of security hole explanation deleted]
[ the setuid-to-uucp uudecode one ]
 
> You should have answered this person via e-mail with a cc to root.

Nope.  It's a general interest question that pops up from time to time,
sometimes I give the answer, sometimes I don't.  Maybe it should go into
the FAQ.  It's hardly new, nor is it hard to find (find / -perm would
have found it straight away, and I can't see any half competent cracker
missing that trick)

Has someone got a summary of the last 30 "you should not have posted
that, Oh yes I should, Oh no you shouldn't" discussions taht we've had
which they can mail to Mr. Daniel ?

> I'm glad I don't have an account on his system.

Why?  What can a cracker do with a uucp shell?  Get network passwords to
fund his cracking with ?  Forge mail (that's easy enough anyway) ?
That's his sysadmin's problem, not yours.

Nothing to crack *your* account with that I know of, unless someone
knows one.  Please post.  If such a hole exists, I want to plug it.

Ronald, at this point, pretty fed up with all this pettiness...
-- 
ronald at robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)



More information about the Comp.unix.questions mailing list