From owner-freebsd-security  Fri Oct 19 10:53:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34])
	by hub.freebsd.org (Postfix) with ESMTP id BD27537B40C
	for <security@FreeBSD.ORG>; Fri, 19 Oct 2001 10:53:31 -0700 (PDT)
Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61])
	by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id KAA40563
	for <security@FreeBSD.ORG>; Fri, 19 Oct 2001 10:53:24 -0700 (PDT)
	(envelope-from greg@bogslab.ucdavis.edu)
Received: from thistle.bogs.org (localhost [127.0.0.1])
	by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id f9JHoFt07041
	for <security@FreeBSD.ORG>; Fri, 19 Oct 2001 10:50:17 -0700 (PDT)
	(envelope-from greg@thistle.bogs.org)
Message-Id: <200110191750.f9JHoFt07041@thistle.bogs.org>
To: security@FreeBSD.ORG
X-To: "Tomek" <tomek@mpionline.com>
X-Sender: owner-freebsd-security@FreeBSD.ORG 
Subject: Re: Whats to stop one user from being root? 
In-reply-to: Your message of "Fri, 19 Oct 2001 07:27:36 MDT."
             <001101c158a1$d12ab320$f6f073d1@mpionline.com> 
Reply-To: gkshenaut@ucdavis.edu
Date: Fri, 19 Oct 2001 10:50:15 -0700
From: Greg Shenaut <greg@bogslab.ucdavis.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In message <001101c158a1$d12ab320$f6f073d1@mpionline.com>, "Tomek" cleopede:
>Hey there,
>I have 2 questions really, maybe they are obvious, maybe not.
>
>1. What is to stop a user program from calling half way in the middle of
>"chmod" for example and bypassing any security checking code? I know
>this would be highly depending on kernal version, but is there
>protection against this?
>
>2. In reference to the telnet buffer overflow security problem, how is
>it that something as simple as fetching data for login name and data for
>password was not protected? If anyone has any links to detailed
>information about WHY the buffer overrun works (in great detail), please
>let me know. Its currently beyond me why the incoming data wasn't
>limited in size before any processing at all.

The telnetd exploit allows someone to run an interactive root shell
without logging in.  The telnetd program starts up as root; the exploit
manages to overflow memory by performing thousands of setenv requests,
and causes an "exec /bin/sh" to take place.  This happens before any
authentication takes place.

Telnetd limited the size, but not the number or contents of setenv
requests; this, plus the availability of the program source, allowed
someone to create this exploit.

I found out a little about how it worked when someone used it to
hack into my system, and then was (apparently) using my system as
a base to hack into other systems.  He left a copy of the "bsdtelnet"
program and its source code on my system.

I tried running the program ("bsdtelnet localhost") and within ten
minutes or less I was looking at a root shell prompt.

Greg Shenaut

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message