Subject: rdist security hole, NetBSD 0.9
To: None <netbsd-bugs@sun-lamp.cs.berkeley.edu>
From: Thomas Lopatic <lopatic@informatik.tu-muenchen.de>
List: netbsd-bugs
Date: 02/04/1994 02:55:55
Hello,

you are probably aware of this problem since you mentioned an upgrade to
a newer rdist release in the NetBSD 0.9 todo file. But then again, perhaps
you aren't. :) To exploit the hole:

- invoke rdist with the line 'rdist -Server'
- then type 'S' followed by any command, e. g. 'Sid', which will show
  that any command run by rdist is executed with a real uid of 0.

Since rdist simply swaps euid and uid, the call to setuid in server.c does
not succeed (uid = 0, euid = uid of the user invoking rdist from the shell).

-Thomas


------------------------------------------------------------------------------