Date: Sun, 30 Jun 1996 12:14:10 -0400 (EDT) From: Brian Tao <taob@io.org> To: Dan Polivy <danp@carebase3.jri.org> Cc: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>, FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) Message-ID: <Pine.NEB.3.92.960630120244.18686C-100000@zap.io.org> In-Reply-To: <Pine.BSF.3.91.960630115332.3753A-100000@carebase3.jri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 30 Jun 1996, Dan Polivy wrote:
>
> Does /bin/bash exist on your system? Is the script setuid to
> anything? (It should have either the user or group +s, i think) It
> worked for me on my FreeBSD machines (2.1 and -stable)...
Small glitch on my mistake... I had tried the script as originally
presented to me, with #!/usr/bin/perl. Changing that to suidperl
alters the results (I thought perl automatically fed a setuid script
to suidperl).
On a BSD/OS 2.0 system, running the script produces "Can't swap
uid and euid.". The exploit works on my FreeBSD systems from 2.1R
through to 2.2-960501-SNAP. 2.2-960612-SNAP appears to have already
fixed the problem. I imagine the recent 2.1.5 snapshots are not
vulnerable either, but I haven't had a chance to verify.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960630120244.18686C-100000>