[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SECURITY PROBLEM: autofs [all versions]


Disable booting from floppy in BIOS, password protect LILO, install
chassis intrusion detection system wired to gun turrets with 50mm heavy
machine guns...

...okay, I think I'm going a little overboard here... ;)



PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

Version: 3.12
GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--() 
!O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++ 
G>+++ e-- h! !r y 

On Sat, 1 Jul 2000, Thor wrote:

> Hi,
> > I'm obviously doing something wrong ...
> > 
> > I've written to the maintainer of the autofs package according to the
> > page summary listed under 'packages' from the website, and as I also saw
> > somewhere else (dpkg -s listing?).  I filed a bug report against autofs
> > and marked it as release critical.  I have heard nothing for the past
> > two (three?) days and need to make this known:
> > 
> > There is a severe security problem for all debian machines running any
> > version of autofs and having a floppy drive available as /dev/fd0.  The
> > options listed in /etc/auto.misc fail to include the options
> > "nosuid,nodev" and as such anyone with a floppy disk and physical access
> > to a floppy drive may become root on that machine.
> > 
> > Here is the 'sploit:
> huh ? and you call this an xploit ?
> if you have physical access to the console and floppy drive you can always 
> start with a boot + root floppy, mount the hard disk and modify the 
> mounted /etc/passwd file ... this is an old trick, usefull when you 
> loose the root password ;-)
> ---
> ;---+---;
> bye |
> bye |hor
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: