Date: Fri, 19 Oct 2001 10:50:15 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: Whats to stop one user from being root? Message-ID: <200110191750.f9JHoFt07041@thistle.bogs.org> In-Reply-To: Your message of "Fri, 19 Oct 2001 07:27:36 MDT." <001101c158a1$d12ab320$f6f073d1@mpionline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <001101c158a1$d12ab320$f6f073d1@mpionline.com>, "Tomek" cleopede: >Hey there, >I have 2 questions really, maybe they are obvious, maybe not. > >1. What is to stop a user program from calling half way in the middle of >"chmod" for example and bypassing any security checking code? I know >this would be highly depending on kernal version, but is there >protection against this? > >2. In reference to the telnet buffer overflow security problem, how is >it that something as simple as fetching data for login name and data for >password was not protected? If anyone has any links to detailed >information about WHY the buffer overrun works (in great detail), please >let me know. Its currently beyond me why the incoming data wasn't >limited in size before any processing at all. The telnetd exploit allows someone to run an interactive root shell without logging in. The telnetd program starts up as root; the exploit manages to overflow memory by performing thousands of setenv requests, and causes an "exec /bin/sh" to take place. This happens before any authentication takes place. Telnetd limited the size, but not the number or contents of setenv requests; this, plus the availability of the program source, allowed someone to create this exploit. I found out a little about how it worked when someone used it to hack into my system, and then was (apparently) using my system as a base to hack into other systems. He left a copy of the "bsdtelnet" program and its source code on my system. I tried running the program ("bsdtelnet localhost") and within ten minutes or less I was looking at a root shell prompt. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110191750.f9JHoFt07041>