From owner-freebsd-security  Mon Jul 28 15:51:16 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA09572
          for security-outgoing; Mon, 28 Jul 1997 15:51:16 -0700 (PDT)
Received: from netrail.net (netrail.net [205.215.10.3])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09567
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 15:51:14 -0700 (PDT)
Received: from localhost (jonz@localhost)
	by netrail.net (8.8.6/8.8.6) with SMTP id SAA27707;
	Mon, 28 Jul 1997 18:50:07 GMT
Date: Mon, 28 Jul 1997 18:50:07 +0000 (GMT)
From: "Jonathan A. Zdziarski" <jonz@netrail.net>
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: "[Mario1-]" <Mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>,
        Robert Watson <robert+freebsd@cyrus.watson.org>,
        Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95.970728144205.3844C-100000@mail.MCESTATE.COM>
Message-ID: <Pine.BSF.3.95q.970728184930.26434E-100000@netrail.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

As long as httpd and sessiond are owned by something other than what cgi
scripts run as you're safe, but if they are both nobody, you can replace
the binary...We had it happen to us once with v1.2 this is how I know.


-------------------------------------------------------------------------
Jonathan A. Zdziarski                                NetRail Incorporated
Server Engineering Manager                    230 Peachtree St. Suite 500
jonz@netrail.net                                        Atlanta, GA 30303
http://www.netrail.net                                    (888) - NETRAIL
------------------------------------------------------------------------- 

On Mon, 28 Jul 1997, Vincent Poy wrote:

:On Mon, 28 Jul 1997, [Mario1-] wrote:
:
:=)On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote:
:=)
:=): There IS one common hole I've seen apache and stronghold have, and that is
:=): that some people like to leave their sessiond or httpd files owned by
:=): 'nobody'.  This allows somebody running CGI on that system to replace
:=): those binaries with their own, hacked binaries (since the scripts are
:=): usually owned as nobody), and the next time httpd starts, they can make it
:=): write a root shell, or just about anything along those lines.
:=)
:=)Now THIS is interesting. I was thinking about this a little while ago.
:=)Didn't it seem like 'nobody' had an awful lot of processes running
:=)last night?
:
:	Yes, it did but they were all httpd and I understand apache httpd
:has fixed this security hole a long time ago since we are using the new
:version of apache.  
:
:
:Cheers,
:Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
:Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
:GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
:Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
:HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
:
: