next message in archive
next message in thread
previous message in archive
Index of Subjects
fyi. Don't know if this is fixed in the new release, or not? I've also
sent another message after this one with some follow-up info.
___
/| / / / Neale Partington
/ | / /__/ President, Great Plains Free-Net Inc.,
/ |/ / Regina, Sk., Canada Neale@gpfn.sk.ca
GPFN OFFICE (voice): 306-569-8554 MODEM POOL: 306-569-8555
Members get access to express lines as well.
---------- Forwarded message ----------
Date: Fri, 13 Dec 1996 01:34:49 -0600 (CST)
From: Michael Lee <mlee@GPFN1.GPFN.SK.CA>
To: Daryle Niedermayer <daryle@gpfn.sk.ca>,
Neale Partington <neale@gpfn.sk.ca>, Robert Greenfield <rhg@gpfn.sk.ca>
Subject: ** CONFIDENTIAL **
The following is a collection of the conversation regarding Gale (aa075)
and "shell" accounts. I did not mail this to the execs list because that
list is publically viewable and the information I am about to tell should
not be viewable by the public. You should forward this information to
the appropriate groups/execs/system people, I didn't because I didn't know
who should be getting this information except the people who have the
root access (you guys). :-)
On Fri, 6 Dec 1996, Robert Greenfield wrote:
> On Fri, 6 Dec 1996, Gord Fisch wrote:
>
> > Gale got me with a 'talk' on the system the other night. She was saying a
> > while ago "wouldn't it be nice to have a shell account" and now she does.
> >
> > I guess I'm wondering who all has shell accounts, who sets them up and if
> > it really matters to me (who should it matter to?). Just wondering 8)
>
> First there were shell accounts.... This is before csuite. Shell accounts
> need much more learning to use. They also give the user much more freedom
> of activity than a csuite account grants. I'd be unhappy to see folks
> receiving shell accounts who are not fully trusted and who are not
> otherwise involved in taking care of the gpfn computer, Bob
---
On Fri, 6 Dec 1996, Daryle Niedermayer wrote:
> My next question is:
>
> Who gave Gale a shell acount?
---
On Sat, 7 Dec 1996, Daryle Niedermayer wrote:
> I fingered Gale earlier today and confirmed that he only has a csuite
> account. Either he has a different account on a different system which is
> a shell account, or he has found a way to crack out of the lynx
> pseudo-OS, or he just thinks he has a shell account, I don't know.
---
On 12 Dec 1996, Daryle Niedermayer wrote:
> I just killed off a running vi session by Michael Lee with the following
> ps entry:
> 8 R 1109 15356 15355 80 79 20 fc542cc0 265 pts/15 412:35 vi
-----------------------
To put it in a nutshell, I'VE PASSED THE SECURITY FEATURES OF "OUR"
CSUITE/LYNX SETUP AND ENTERED THE SHELL!!!
Please note however, that I have little and I mean very little unix
experience (about 2 UofR CS classes) and if I can do it, imagine someone
with a bit more experience can do.
I did this in about 2 stages (which I will document), however some spots
can be bypassed. Like I said I don't have much unix experience and now
that I rethink the situation I know some steps are not necessary in order
to go into the shell.
Stage 1:
I have the "w" command in my opening .login file, and upon login many
times I've seen Gale (sorry to pick on Gale, but this did sort of revolve
around him) "what" as something like
User tty login@ idle JCPU PCPU what
aa075 pts/0 12:02am 11 2 lynxexec:/var/csuite/bin/../../../bi
(the above was an example)
"what" cuts it off after x number of characters so I couldn't tell
exactly what he was doing. Upon doing my own investigation and using my
csuite member account (the aa ones) I tried doing a "j"ump using
lynxexec command. Sure, it didn't let me, but then I tried something
that I learned from the Saskatoon free-net. In the beginning SFN told
people that they won't let you randomly telnet to a location by using the
jump command, but if you put a telnet link in a page they would let you.
Well, I used what I remembered and tried putting a lynexec command as a
link in my bookmarks page and voila it worked.
First, I copied the same link as presented to me on the footer of the
screen for the mail link (I have advanced setup in user settings). So I
put lynexec:/var/csuite/bin/mail as a link and it worked, so I tried
others things outside the bin directory by using simple unix parent
directory calls like lynexec:/var/csuite/bin/../../../bin/"unix command"
because Gale had part of that in the what field (sure it part was cut off
but I filled in the blank). Well, most of the commands worked including
talk, who, w, vi, etc.. Some had to be made fresh everytime like the talk
command because you had to specify who you wanted to talk to, but it worked.
(The vi editor worked as noted above with the runaway process, since vi
(I don't think) is available to csuite users since pico is the text editor).
Yes, I know this isn't the shell, but almost all executable files can be
used if the correct path was used.
Next, I tried to execute one of the "sh"ells, which brings me to stage two.
Stage 2:
I tried executing one of the shells like csh, ksh, etc. earlier in the day,
but they didn't work well. I had a [x]% prompt (where x is a number) but
whenever I type a command it didn't work. I returned later in the day
after remembering about the hidden dot files. Apparently, you can't edit
dot files in pico (in csuite), but vi (using the lynxexec method) will.
So, I copied my unix shell .login and .cshrc files over and tried it that
way and launched csh again. It didn't work and still had the [x]% prompt.
I then remembered the set command and I noticed that the path was to the
/var/csuite/bin directory so that only what executable files in that
directory was allowed to launch. So, switching back to my unix mlee shell
account, I checked my set variables and used the same paths as in my shell
account to the newly discovered csuite/unix account and now I had all the
commands of a normal shell user. I tweaked some lines in my .cshrc file
and now everytime I launch csh from my csuite bookmark file, I get the
gpfn1[x]% prompt and am a shell user.
Of course I went the hard way, I realize that I didn't need the .login
and .cshrc files. All I had to do after lauching csh was to set proper
paths and the commands would work and THEN make dot files.
Solutions:
1) The most important would be to disallow lynxexec commands outside the
csuite directories. If this can be done, everything sould be okay
because you won't have to worry about dot files (because the current pico
already is set up so you can't create them) and nothing outside the
csuite can be executed (the csh).
Other solutions???
That is about it, it is 1:30am now - a bit past my bedtime.
Later.
PS. I hope you guys don't think I'm a security threat, afterall I've had
my unix shell account for 1.5+ years and I don't think I've caused any
trouble :-) And, no, I'm not a hacker - actually this would be the
first thing I've actually tried and "cracked". I am just trying to plug
any holes in this system, and to see it run smoothly... since I am a paid
voting member of the "society" and want it to continue to serve the
community.
---
Michael Lee - mlee@gpfn.sk.ca
[1] Information Provider (BBS List)... since Aug. '95
http://www.gpfn.sk.ca/inet/bbslist/index.html
[2] Public Download Area (PDA) - Macintosh Admini