From owner-freebsd-security Tue Oct 10 16:58:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from toad.com (toad.com [140.174.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 930BC37B66C for ; Tue, 10 Oct 2000 16:58:29 -0700 (PDT) Received: from grok.example.net (unknown@cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by toad.com (8.7.5/8.7.3) with ESMTP id QAA10133; Tue, 10 Oct 2000 16:58:28 -0700 (PDT) Received: by grok.example.net (Postfix, from userid 1000) id BCAFD21316E; Tue, 10 Oct 2000 16:59:08 -0700 (PDT) Date: Tue, 10 Oct 2000 16:59:08 -0700 From: Steve Reid To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010165908.C9112@grok> References: <200010101403.e9AE3Ir08713@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200010101403.e9AE3Ir08713@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Tue, Oct 10, 2000 at 07:02:30AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 07:02:30AM -0700, Cy Schubert - ITSD Open Systems Group wrote: > For those of you who don't subscribe to BUGTRAQ, here's a heads up. I tried it on a 4.1-R box and a 4.1.1-R box, with the same results both times: steve@grok:/home/steve% ./exploit.csh -rwxr-sr-x 1 steve wheel 622908 Oct 10 16:47 /tmp/csh So there is arbitrary code being executed to copy csh to /tmp and set it setguid, but I am in group wheel already, so no gain (it should be group kmem). Either systat gives up privs before the Bad Stuff happens, or the exploit is just a proof-of-concept designed to not work for script kiddies. What about top? It is linked to ncurses too. I tried changing the script to use top instead of systat but got this: steve@grok:/home/steve% ./exploit.csh ls: /tmp/csh: No such file or directory So either top is not exploitable or the exploit needs to be modified for top. I would `chmod g-s /usr/bin/systat /usr/bin/top` until we know for sure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message