From owner-freebsd-security Sun Jun 30 09:17:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA25264 for security-outgoing; Sun, 30 Jun 1996 09:17:33 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA25258 for ; Sun, 30 Jun 1996 09:17:29 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id MAA10596; Sun, 30 Jun 1996 12:13:21 -0400 (EDT) Date: Sun, 30 Jun 1996 12:14:10 -0400 (EDT) From: Brian Tao To: Dan Polivy cc: Multiple recipients of list BUGTRAQ , FREEBSD-SECURITY-L Subject: Re: BoS: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 30 Jun 1996, Dan Polivy wrote: > > Does /bin/bash exist on your system? Is the script setuid to > anything? (It should have either the user or group +s, i think) It > worked for me on my FreeBSD machines (2.1 and -stable)... Small glitch on my mistake... I had tried the script as originally presented to me, with #!/usr/bin/perl. Changing that to suidperl alters the results (I thought perl automatically fed a setuid script to suidperl). On a BSD/OS 2.0 system, running the script produces "Can't swap uid and euid.". The exploit works on my FreeBSD systems from 2.1R through to 2.2-960501-SNAP. 2.2-960612-SNAP appears to have already fixed the problem. I imagine the recent 2.1.5 snapshots are not vulnerable either, but I haven't had a chance to verify. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"