Linux sliplogin hole

Summary
Description:sliplogin does system() as root w/o clearing environment, so you can do things like set IFS='/'.
Author:David Holland <dholland@hcs.HARVARD.EDU>
Compromise: root (local)
Vulnerable Systems:Any with sliplogin older than 2.1.0, mostly linux systems (many BSD distributions have the program, but it apparently can't be exploited to another error).
Date:16 July 1996
Details

Exploit:

Date: Tue, 16 Jul 1996 15:27:19 -0500
From: David Holland 
To: Multiple recipients of list BUGTRAQ 
Subject: [linux-security] sliplogin

Anyone running a version of sliplogin older than sliplogin-2.1.0
(which can be gotten from sunsite.unc.edu:/pub/Linux/system/Network/serial
or ftp.uk.linux.org:/pub/linux/Networking/transports) should remove it
or upgrade it immediately.

It does

        setuid(0);
        if (s = system(logincmd)) {
           :
        }

without clearing the environment first. Therefore, anybody can get
root trivially.

The sliplogin from NetKit-B-0.06 is affected.
Current RedHat sliplogin is not affected.
Others I don't know about.

--
   - David A. Holland          | Number of words in the English language that
     dholland@hcs.harvard.edu  | exist because of typos or misreadings: 381


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]