Date: Fri, 19 Oct 2001 10:50:15 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: Whats to stop one user from being root? Message-ID: <200110191750.f9JHoFt07041@thistle.bogs.org> In-Reply-To: Your message of "Fri, 19 Oct 2001 07:27:36 MDT." <001101c158a1$d12ab320$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <001101c158a1$d12ab320$f6f073d1@mpionline.com>, "Tomek" cleopede:
>Hey there,
>I have 2 questions really, maybe they are obvious, maybe not.
>
>1. What is to stop a user program from calling half way in the middle of
>"chmod" for example and bypassing any security checking code? I know
>this would be highly depending on kernal version, but is there
>protection against this?
>
>2. In reference to the telnet buffer overflow security problem, how is
>it that something as simple as fetching data for login name and data for
>password was not protected? If anyone has any links to detailed
>information about WHY the buffer overrun works (in great detail), please
>let me know. Its currently beyond me why the incoming data wasn't
>limited in size before any processing at all.
The telnetd exploit allows someone to run an interactive root shell
without logging in. The telnetd program starts up as root; the exploit
manages to overflow memory by performing thousands of setenv requests,
and causes an "exec /bin/sh" to take place. This happens before any
authentication takes place.
Telnetd limited the size, but not the number or contents of setenv
requests; this, plus the availability of the program source, allowed
someone to create this exploit.
I found out a little about how it worked when someone used it to
hack into my system, and then was (apparently) using my system as
a base to hack into other systems. He left a copy of the "bsdtelnet"
program and its source code on my system.
I tried running the program ("bsdtelnet localhost") and within ten
minutes or less I was looking at a root shell prompt.
Greg Shenaut
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110191750.f9JHoFt07041>