>> Don't know about BSDi, but on Solaris uucp owns tip, uuencode, uudecode, >> and others. So if I can use this vuln to su uucp, I can trojan e.g. >> tip. Then the next time root runs what he thinks is tip, I've got the >> box. > >on solaris: > >$ grep uucp /etc/inetd.conf >uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd I think you'll find that in Solaris 8 and later, only those executables that are set-uid uucp have retained uucp ownership. (Tip, of course, is still often executed by root in some settings) (Oh, and we're discussing a buffer overflow in uucp on BSDi, so Solaris may not be a target for this problem) Casper
