[21461] in bugtraq
Re: FreeBSD 4.3 local root
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Wed Jul 11 11:31:17 2001
Message-ID: <049201c10a05$5dc17bc0$2001a8c0@clitoris>
From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
To: "Seva Gluschenko" <gvs@rinet.ru>, "Bug Track" <bugtraq@securityfocus.com>
Cc: <security@freebsd.org>
Date: Wed, 11 Jul 2001 14:31:06 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> Well, after a bunch of tests I've found only two suids which gave me
> suid shell:
> /usr/bin/passwd
> /usr/local/bin/ssh1
/usr/bin/su also works for me:
riget:venglin:~> egrep -e execl vvfreebsd.c
if(!execl("/usr/bin/su","su","szymon",0))
riget:venglin:~> ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
> So, quick workaround should be
Quick workaround is to limit arguments, environment and filter non-ascii
characters:
http://www.frasunek.com/sources/security/rexec/
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
