From owner-freebsd-questions Thu Oct 19 10:36:49 2000 Delivered-To: freebsd-questions@freebsd.org Received: from static.unixfreak.org (static.unixfreak.org [63.198.170.139]) by hub.freebsd.org (Postfix) with ESMTP id 527DA37B4CF for ; Thu, 19 Oct 2000 10:36:46 -0700 (PDT) Received: by static.unixfreak.org (Postfix, from userid 1000) id 153E71F35; Thu, 19 Oct 2000 10:36:46 -0700 (PDT) Subject: Re: su root exploit? In-Reply-To: <20001019103754.A667@tznet.com> "from Michael Urban at Oct 19, 2000 10:37:54 am" To: Michael Urban Date: Thu, 19 Oct 2000 10:36:45 -0700 (PDT) Cc: freebsd-questions@freebsd.org From: Dima Dorfman Reply-To: dima@unixfreak.org X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <20001019173646.153E71F35@static.unixfreak.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Does this particular root explit affect su on FreeBSD? The article > says it affects all versions of su. I built and tried to use the code > they included on my system, but I couldn't get anything to happen. DISCLAIMER: I'm not a security expert. I just spent five minutes looking at the exploit, and below are my conclusions. Don't take this as an official statement. - I think the "all versions of su" at the top refer to Linux versions of su. Considering that they expect it to be in /bin, they certainly haven't tried it on any of the BSDs. - Although the actual code to be executed is in the environment, the format string bug appears to be in the handling of the "-u" flag to su. I can't find a reference to it in the manual pages. Conclusion (again, not official): This particular exploit probably can't be used against FreeBSD. That's not to say that a similar problem doesn't exist which will allow this exploit to work with slight modifications. Hope this helps -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. If two wrongs don't make a right, try three! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message