From owner-freebsd-security  Sun Nov 17 08:09:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA08100
          for security-outgoing; Sun, 17 Nov 1996 08:09:12 -0800 (PST)
Received: from procert.cert.dfn.de (procert.cert.dfn.de [134.100.14.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA08063
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 08:08:45 -0800 (PST)
Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.3/8.8.3) with ESMTP id RAA21005; Sun, 17 Nov 1996 17:09:29 +0100 (MET)
From: Wolfgang Ley <ley@cert.dfn.de>
Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.3/8.8.3) id RAA13620; Sun, 17 Nov 1996 17:09:27 +0100 (MET)
Message-Id: <199611171609.RAA13620@tiger.cert.dfn.de>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
To: ewb@zns.net (Will Brown)
Date: Sun, 17 Nov 1996 17:09:27 +0100 (MET)
Cc: freebsd-security@freebsd.org
In-Reply-To: <199611171551.KAA09581@selway.i.com> from "Will Brown" at Nov 17, 96 10:51:03 am
Organization: DFN-CERT (Computer Emergency Response Team, Germany)
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

Will Brown wrote:
>
> FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5.  On
> Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give
> root privilege. Assume this is due to restrictions in Solaris on
> executing setuid root programs outside of certain directories? Perhaps
> that defense can be easily overcome, or is it a good last line of
> defense? Why not a similar defense in FreeBSD?
>
> My apologies if this has been hashed over already.
>
> Obviously not good in any case.

The exploit does work on Solaris (as you see the shell with the setuid
root is created). Is doesn't matter if starting that shell will give
you a root shell or not because you already managed to execute a program
with root privs.

The setuid /tmp/sh fails because either /tmp is mounted nosuid (it's
always a good idea to mount all user-writable dirs like /tmp, /var etc.
nosuid) or you just have ti use the "-p" switch to avoid restting the
userid while starting a setuid shell (see "man sh").

Bye,
  Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMo84nAQmfXmOCknRAQGA3wP+OtitdGU/tPRYqyRaWwzUun2esGmZC5tU
WMqBrOzjmlLntcQ0kRm/MSlTHIIHSfu4piA3PMoNHwyPKESTaIUQoYj/Wpy5xqSr
v4SWLd0ZImgjp2eNH/yxyz1EH+iD/dBylZm+qeFUUteFANwuxp7EbZKWiOjFM8p0
GQcwVwSzg5E=
=fyTX
-----END PGP SIGNATURE-----