From owner-freebsd-security Sun Nov 17 08:22:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA09586 for security-outgoing; Sun, 17 Nov 1996 08:22:28 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA09562 for ; Sun, 17 Nov 1996 08:22:07 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id LAA02721; Sun, 17 Nov 1996 11:18:39 -0500 From: Adam Shostack Message-Id: <199611171618.LAA02721@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611171551.KAA09581@selway.i.com> from Will Brown at "Nov 17, 96 10:51:03 am" To: ewb@zns.net (Will Brown) Date: Sun, 17 Nov 1996 11:18:39 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Will Brown wrote: | FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On | Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give | root privilege. Assume this is due to restrictions in Solaris on | executing setuid root programs outside of certain directories? Perhaps | that defense can be easily overcome, or is it a good last line of | defense? Why not a similar defense in FreeBSD? I think theres code in the shipped solaris shells that causes them to switch uid back to that of the invoker when they are setuid. This is a slick defense against exploit scripts, but it doesn't take that much to work around it. My prefered method is to use a tcsh binary that doesn't have the defence instead of /bin/sh. On another note, how about qmail replacing sendmail? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume