From owner-freebsd-security Sun Nov 17 08:30:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA10323 for security-outgoing; Sun, 17 Nov 1996 08:30:50 -0800 (PST) Received: from chaos.ecpnet.com (raistlin@chaos.ecpnet.com [204.246.64.13]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA10306 for ; Sun, 17 Nov 1996 08:30:34 -0800 (PST) Received: from localhost (raistlin@localhost) by chaos.ecpnet.com (8.8.2/8.7.3) with SMTP id KAA02328; Sun, 17 Nov 1996 10:31:56 -0600 Date: Sun, 17 Nov 1996 10:31:55 -0600 (CST) From: Justen Stepka To: Will Brown cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611171551.KAA09581@selway.i.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, Will Brown wrote: > FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On > Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give > root privilege. Assume this is due to restrictions in Solaris on > executing setuid root programs outside of certain directories? Perhaps > that defense can be easily overcome, or is it a good last line of > defense? Why not a similar defense in FreeBSD? > > My apologies if this has been hashed over already. > > Obviously not good in any case. > > -- > Will Brown > Thing is that the new FreeBSD is patched for this and it won't work. I'm sure that 2.2-SNAP has the fix but I havn't tested it. I know that 3.0-Current is patched and that's whats important for me :) ------------------------------------------------------------------------------ Justen Stepka | http://www.ecpnet.com/~raistlin Network Administrator | "This space for rent" raistlin@ecpnet.com | 3.0-CURRENT FreeBSD 3.0-CURRENT ------------------------------------------------------------------------------