[ale] hackers and thier methods

Chris Fowler cfowler at outpostsentinel.com
Tue Feb 19 19:37:27 EST 2002



,If I 
am correct.  VI allows shell execution.  For instance.  Lets 
assume ythat bob is only allowed to run vi and 
edit a file.  That is all.
<FONT face=Tahoma 
size=2> 
In his shell script 
or in the passwd file you would have something like this
<FONT face=Tahoma 
size=2> 
<FONT face=Tahoma 
size=2> 
exec /bin/vi 
/usr/data/daily_report
<FONT face=Tahoma 
size=2> 
Bob will login 
every day edit the daily report and cron will send it out to 
everyone.
<FONT face=Tahoma 
size=2> 
Bob gets 
crafty.  In vi  he does :!/bin/ksh.  Now bob has a shell.  
Ouch.  What more can bob do?  Little things like that can cause 
problems.
<FONT face=Tahoma 
size=2> 
 <SPAN 
class=820553400-20022002>
 
 -----Original 
Message-----From: Stephen Turner 
[mailto:artic_knight at yahoo.com]Sent: Tuesday, February 19, 2002 5:43 
PMTo: ale at ale.orgSubject: [ale] hackers and thier 
methods
so i remove all these packages from my box, should i bother 
  removing vi? it offers no hacks as i see it but i suppose my REAL 
  question is, can a linux hacker or someone hacking linux run programs outside 
  of your box that will configure, alter the box? or do you have to add programs 
  such as a text editor in order to alter text? and what stops them from 
  installing or "planting" them on my server?
  
  
  Do You Yahoo!?Yahoo! 
  Sports - Coverage of the 2002 Olympic Games




More information about the Ale mailing list