> 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other. Yes, I've tested it on 3.1-STABLE. > I have no exploit and probably will no have a free time (I think > 3 days is more than enough) for doing it, but I beleive it is > possible to exploit this bug using carefully designed directory > tree to execute arbitrary commands as root during > /etc/daily->/etc/security->find. > REMOTE ROOT EXPLOIT (POSSIBLE). I think, that it will be hard to write an exploit. I've tested it on my 2.2.8-RELEASE at home. 'Find' segfaults, when it tries to do: (void)puts(entry->fts_path); because of junk pointer to structure 'entry'. IMHO it _always_ points to 0x200291d6, so it tries to execute (IMHO) _always_ the same commands: 0x200291d6 <puts+34>: repnz scasb %es:(%edi),%al 0x200291d7 <puts+35>: scasb %es:(%edi),%al 0x200291d8 <puts+36>: movl %ecx,%eax 0x200291d9 <puts+37>: enter $0xd0f7,$0x89 0x200291da <puts+38>: notl %eax 0x200291db <puts+39>: rorb 0x488de455(%ecx) 0x200291dc <puts+40>: movl %edx,0xffffffe4(%ebp) 0x200291dd <puts+41>: pushl %ebp 0x200291de <puts+42>: inb $0x8d,%al 0x200291df <puts+43>: leal 0xffffffff(%eax),%ecx 0x200291e0 <puts+44>: decl %eax 0x200291e1 <puts+45>: decl 0x938de84d(%ecx) 0x200291e2 <puts+46>: movl %ecx,0xffffffe8(%ebp) 0x200291e3 <puts+47>: decl %ebp 0x200291e4 <puts+48>: call 0xc1532576 <end+2705991902> and here it segfaults. -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglinat_private ** PGP:D48684904685DF43EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:02 PDT