From owner-freebsd-security Mon Jul 28 15:48:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA09295 for security-outgoing; Mon, 28 Jul 1997 15:48:19 -0700 (PDT) Received: from netrail.net (netrail.net [205.215.10.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09290 for ; Mon, 28 Jul 1997 15:48:16 -0700 (PDT) Received: from localhost (jonz@localhost) by netrail.net (8.8.6/8.8.6) with SMTP id SAA27376; Mon, 28 Jul 1997 18:47:20 GMT Date: Mon, 28 Jul 1997 18:47:20 +0000 (GMT) From: "Jonathan A. Zdziarski" To: Nate Williams cc: Robert Watson , Vincent Poy , Tomasz Dudziak , security@freebsd.org, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <199707282100.PAA07719@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk httpd and sessiond initially are run as root, before they spawn off into separate processes. If you replace httpd and sessiond with your own code, so that before it changes its uid and forks, you will get a root shell ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Nate Williams wrote: :> There IS one common hole I've seen apache and stronghold have, and that is :> that some people like to leave their sessiond or httpd files owned by :> 'nobody'. This allows somebody running CGI on that system to replace :> those binaries with their own, hacked binaries (since the scripts are :> usually owned as nobody), and the next time httpd starts, they can make it :> write a root shell, or just about anything along those lines. : :If it's running as 'nobody', it can't create a root shell. It can :create a 'nobody' shell though... : : : :Nate :