more info on the iosmash.c exploit

phased had some comments he wanted me to forward on to the lists in
regards to his latest exploit.

He says that skeys are used via all authentication methods... i.e telnet, so 
someone could change the user to someone in the wheel group.  Haven't used 
skeys via ssh yet but I presume it works.  Root obviously can't just telnet 
in by default but usually can ssh, but if the box being exploited contains 
people in the wheel group you can change the root user in the exploit to any 
user to log in via skeys as that user.

-sert-

That file you've been guarding, isn't.
-------------------------------------------------------------------
      ______________________________
     /   _____/\______   \__    ___/   | Secure Network Operations
     \_____  \  |       _/ |    |      | http://www.snosoft.com
     /        \ |    |   \ |    |      | recon@xxxxxxxxxxx
    /_______  / |____|_  / |____|      |
            \/         \/              | Project Cerebrum
    Strategic  Reconnaissance Team     | cerebrum@xxxxxxxxxxx

---------- Forwarded message ----------
Date: Wed, 24 Apr 2002 03:33:15 +0400
From: James Green <phased@xxxxxxx>
To: recon@xxxxxxxxxxx
Subject: the iosmash.c exploit


in the comments i used su to gain root, someone needs to post to bugtraq
that skeys is used via all auth methods, i.e. telnet so you could change
the user to someone in wheel, havent used skeys via ssh but i presume it
 works. root isnt allowed to telnet default but usually can ssh, but if the
 box has people in the wheel group you can change the root to any user in the
 exploit to log in via skeys as that user.  btw dont forward this post can i
 had some beers tonight heh :) put it in better english lol

phased
phased@xxxxxxxxxxx

-------------------------------------------------------