Date: Mon, 28 Jul 1997 18:47:20 +0000 (GMT) From: "Jonathan A. Zdziarski" <jonz@netrail.net> To: Nate Williams <nate@mt.sri.com> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, Vincent Poy <vince@mail.mcestate.com>, Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@freebsd.org, "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95q.970728184555.26434C-100000@netrail.net> In-Reply-To: <199707282100.PAA07719@rocky.mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
httpd and sessiond initially are run as root, before they spawn off into separate processes. If you replace httpd and sessiond with your own code, so that before it changes its uid and forks, you will get a root shell ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Nate Williams wrote: :> There IS one common hole I've seen apache and stronghold have, and that is :> that some people like to leave their sessiond or httpd files owned by :> 'nobody'. This allows somebody running CGI on that system to replace :> those binaries with their own, hacked binaries (since the scripts are :> usually owned as nobody), and the next time httpd starts, they can make it :> write a root shell, or just about anything along those lines. : :If it's running as 'nobody', it can't create a root shell. It can :create a 'nobody' shell though... : : : :Nate :
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728184555.26434C-100000>