From owner-freebsd-security  Sun Aug 10 08:09:46 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA24847
          for security-outgoing; Sun, 10 Aug 1997 08:09:46 -0700 (PDT)
Received: from server.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA24842
          for <freebsd-security@FreeBSD.ORG>; Sun, 10 Aug 1997 08:09:44 -0700 (PDT)
Received: from localhost (perlsta@localhost)
	by server.local.sunyit.edu (8.8.5/8.8.5) with SMTP id KAA07451;
	Sun, 10 Aug 1997 10:13:04 GMT
X-Authentication-Warning: server.local.sunyit.edu: perlsta owned process doing -bs
Date: Sun, 10 Aug 1997 10:13:04 +0000 (GMT)
From: Alfred Perlstein <perlsta@sunyit.edu>
X-Sender: perlsta@server.local.sunyit.edu
To: "Jonathan A. Zdziarski" <jonz@netrail.net>
cc: Brian Mitchell <brian@firehouse.net>, bugtraq@netspace.org,
        freebsd-security@FreeBSD.ORG
Subject: Re: procfs hole
In-Reply-To: <Pine.BSF.3.95q.970810104520.14828A-100000@netrail.net>
Message-ID: <Pine.BSF.3.96.970810101052.7449A-100000@server.local.sunyit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


ok, hear's the deal, the exploit was written SPECIFICALLY for SU but i
assume almost any setuid program can be modified to do any kinda nasty
thing just by patching its code.  Getting root access isn't the only "bad"
thing, it could somehow patch the program by putting an "exec" somewhere
in it :) or it could just be used to make PASSWD mis-behave...

._________________________________________ __ _
|Alfred Perlstein - Programming & SysAdmin
|perlsta@sunyit.edu
|http://www.cs.sunyit.edu/~perlsta
: ---"Have you seen my FreeBSD tatoo?"
'

On Sun, 10 Aug 1997, Jonathan A. Zdziarski wrote:

> never mind about my last message - I was finally able to get it to work on
> both 2.2.2 and 2.2.1 systems.  ack.  is the 'su' command the only
> pheasable method of manipulating this problem, or do you think it could be
> done with other setuid programs?  I'm running sudo, and can disable su,
> but then again what if sudo can be modified.
> 
> 
> -------------------------------------------------------------------------
> Jonathan A. Zdziarski                                NetRail Incorporated
> Server Engineering Manager                    230 Peachtree St. Suite 500
> jonz@netrail.net                                        Atlanta, GA 30303
> http://www.netrail.net                                    (888) - NETRAIL
> ------------------------------------------------------------------------- 
> 
>