> Credits: Joost Pol <joostat_private> Joost rules. And my apologies to Pine for always being late paying my bills. Sorry :-) This is a simple test, executing a setuid process with filedescriptor 2 closed, and then opening a file and seeing what fd it gets. Linux 2.2.16 RedHat AXP Not vulnerable (thanks fets) Linux 2.5.6 Debian `Woody' Not vulnerable Linux 2.4.18 Debian `Potato' Not vulnerable OpenBSD 2.9 Not vulnerable (thanks dim) OpenBSD 3.0 Not vulnerable (thanks sateh) OpenBSD 3.1 Not vulnerable (thanks dim) OS X 10.1.4 Not vulnerable (thanks sateh) NetBSD 1.4.2 Not vulnerable (thanks bounce) Solaris 2.5.1-2.5.8 Vulnerable Code on http://ds9a.nl/setuid-fd-2.tar.gz For further tests, 'outer' might try to exhaust *all* available filedescriptors except 0, 1 or 2. This is left as an exercise for the reader, or maybe we will beat you to it. The trick is to leave enough fd's available for ld.so. Regards, bert -- http://www.PowerDNS.com/pdns Try our new database driven nameserver! http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 15:04:23 PDT