[15311] in bugtraq
Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)
daemon@ATHENA.MIT.EDU (Alfred Perlstein)
Mon Jun 12 01:53:54 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000610134017.S18462@fw.wintelcom.net>
Date: Sat, 10 Jun 2000 13:40:17 -0700
Reply-To: Alfred Perlstein <bright@WINTELCOM.NET>
From: Alfred Perlstein <bright@WINTELCOM.NET>
X-To: sector x <sectorx@DIGITALPHOBIA.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000610163613.16146.qmail@securityfocus.com>; from
sectorx@DIGITALPHOBIA.COM on Sat, Jun 10, 2000 at 04:36:13PM -0000
* sector x <sectorx@DIGITALPHOBIA.COM> [000610 13:10] wrote:
> Here is a freebsd port of noir's cdrecord buffer overflow.
> have you noticed cdrecord is very often suid root on many
> systems? :)
>
> --sectorx
>
> -- snip snip --
>
> /* freebsd cdrecord exploit port by sectorx of XOR
[*yawn* *snip*]
But it's _not_ suid on FreeBSD:
~ % ls -l /usr/local/bin/cdrecord
-r-xr-xr-x 1 root wheel 161244 May 20 04:31 /usr/local/bin/cdrecord
Cute but useless. Any program that encourages users to suid it
root and allows arbritary devices to be accessed over the scsi bus
needs to be taken out back and shot, twice. Any vendor that ships
it that way, three times.
The exploit presented here is akin to writing a sploit for /bin/sh
that only works if it's suid.
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
