[21503] in bugtraq
Re: FreeBSD 4.3 local root
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon Jul 16 00:17:42 2001
Message-ID: <00eb01c10b9e$7b6b4350$2001a8c0@clitoris>
From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
To: "Foldi Tamas" <crow@kapu.hu>
Cc: <bugtraq@securityfocus.com>
Date: Fri, 13 Jul 2001 15:19:37 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
> > http://www.frasunek.com/sources/security/rexec/
> This workaround not complete, because it doesn't protect for the bug
> exploitation. For example the attacker can send the shellcode via stdin
> to the suid program. It's address can also be determined with removing
> the suid bit from the program, and tracing it non-root.
Of course, rexec wasn't designed to protect from this vulnerability. It
protects from argument/environment based overflows and some formatting bugs.
Almost all such security enhancements are possible to bypass, but not by
script kiddies. Rexec tries to make exploiting local vulnerabilities harder.
Selective noexec feature prevents kiddies from running their exploits.
> (BTW, rexec is generally a good idea, we like it)
Thanks. I'm using it on all of my boxes with user accounts.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
