From owner-freebsd-security Tue Feb 18 21:52:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA04807 for security-outgoing; Tue, 18 Feb 1997 21:52:22 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA04800 for ; Tue, 18 Feb 1997 21:52:15 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id XAA12266; Tue, 18 Feb 1997 23:51:51 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702190551.XAA12266@enteract.com> Subject: Re: Security problem in FreeBSD /sbin/init To: cys@mailhost.wlc.com Date: Tue, 18 Feb 1997 23:51:50 -0600 (CST) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702190351.TAA01277@cwsys.cwent.com> from "Cy Schubert" at Feb 18, 97 07:50:52 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I don't think this is a security problem since /sbin/init has permissions > of 500 and /etc/ttys has permissions of 644. You're missing the point. This is not a "get-root" bug. This is a vulnerability that will allow an intruder that has already gained illicit root access to evade "securelevels", which, among other things, prevent modifications to the running kernel and to critical system binaries by root. The status of the files are irrelevant unless they're immutable. Many, many systems (several of mine included) rely on this mechanism to ensure that, even if root is somehow comprimised, the system cannot be transperantly modified to permit indefinite, undetectable future access by the attacker. Code exists and is being circulated that will allow intruders to circumvent virtually every publically-available method of intrusion detection; an attacker that controls the running kernel can prevent the maintainers of the system from verifying it's integrity, even cryptographically, without physically removing the storage media and mounting it in a "clean" machine. Obviously, it's fairly important that this be fixed immediately, and that word is spread immediately so that people who have taken these measures to protect their systems are aware of the potential for silent comprimise. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"