From owner-freebsd-security@FreeBSD.ORG Sat Jul 31 13:04:15 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D0D31065670 for ; Sat, 31 Jul 2010 13:04:15 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id A03C18FC1B for ; Sat, 31 Jul 2010 13:04:14 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o6VD4AZ8034651 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id o6VD4Ace089736; Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id o6VD4AHJ089735; Sat, 31 Jul 2010 16:04:10 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 31 Jul 2010 16:04:10 +0300 From: Kostik Belousov To: Istv??n Message-ID: <20100731130410.GO22295@deviant.kiev.zoral.com.ua> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+0mKm/ENadSkQxF+" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-2.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_40, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: freebsd-security , Selphie Keller Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 13:04:15 -0000 --+0mKm/ENadSkQxF+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 31, 2010 at 01:59:43PM +0100, Istv??n wrote: > http://www.securiteam.com/exploits/6P00C00EKO.html This is an exploit for the archaic SA-05:02.sendfile. Op (semi-)obviously means exploit for the recent SA-10:07.mbuf, for which I am very curious whether the working exploit appeared in the wild. >=20 > On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov wro= te: >=20 > > On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: > > > Kernel module for chmod restrictions while in securelevel one or high= er: > > > http://gist.github.com/501800 (fbsd 8.x) > > > > > > Was looking at the new recent sendfile/mbuf exploit and it was using a > > > shellcode that calls chmod syscall to make a setuid/setgid binary. > > However > > Can you point to the exploit (code) ? > > >=20 >=20 >=20 > --=20 > the sun shines for all >=20 > http://l1xl1x.blogspot.com --+0mKm/ENadSkQxF+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkxUH0oACgkQC3+MBN1Mb4ivegCfRB4VAekrICL9OY/nlBoTXHxC YYAAoLRcOLkD/RbxMi63FECo6flAdY+x =rjGO -----END PGP SIGNATURE----- --+0mKm/ENadSkQxF+--