Re: FreeBSD 4.3 local root

From: Foldi Tamas (crowat_private)
Date: Fri Jul 13 2001 - 04:39:02 PDT

Next message: ian stanley: "Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener"

Previous message: ByteRage: "ArGoSoft FTP Server 1.2.2.2 Weak password encryption"
In reply to: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Next in thread: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Reply: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
> 
> http://www.frasunek.com/sources/security/rexec/

This workaround not complete, because it doesn't protect for the bug
exploitation. For example the attacker can send the shellcode via stdin
to the suid program. It's address can also be determined with removing
the suid bit from the program, and tracing it non-root.

What's your opinion? 

(BTW, rexec is generally a good idea, we like it)

Best regards,
Megyer Ur (lez), Foldi Ur

-- 
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
   crowat_private - PGP: finger://crowat_private - (+3630) 221-7477

Next message: ian stanley: "Re: [COVERT-2001-04] Vulnerability in Oracle 8i TNS Listener"
Previous message: ByteRage: "ArGoSoft FTP Server 1.2.2.2 Weak password encryption"
In reply to: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Next in thread: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Reply: Przemyslaw Frasunek: "Re: FreeBSD 4.3 local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 21:07:44 PDT