[21513] in bugtraq
Re: FreeBSD 4.3 local root
daemon@ATHENA.MIT.EDU (Foldi Tamas)
Mon Jul 16 00:39:14 2001
From: Foldi Tamas <crow@kapu.hu>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: bugtraq@securityfocus.com
In-Reply-To: <049201c10a05$5dc17bc0$2001a8c0@clitoris>
Content-Type: text/plain
Date: 13 Jul 2001 13:39:02 +0200
Message-Id: <995024343.1405.0.camel@DarkSun>
Mime-Version: 1.0
> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
>
> http://www.frasunek.com/sources/security/rexec/
This workaround not complete, because it doesn't protect for the bug
exploitation. For example the attacker can send the shellcode via stdin
to the suid program. It's address can also be determined with removing
the suid bit from the program, and tracing it non-root.
What's your opinion?
(BTW, rexec is generally a good idea, we like it)
Best regards,
Megyer Ur (lez), Foldi Ur
--
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477
