From owner-freebsd-security  Sat Aug 24 03:14:11 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id DAA25307
          for security-outgoing; Sat, 24 Aug 1996 03:14:11 -0700 (PDT)
Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id DAA25300
          for <security@freebsd.org>; Sat, 24 Aug 1996 03:14:06 -0700 (PDT)
Received: by gvr.win.tue.nl (8.6.13/1.53)
    id MAA04792; Sat, 24 Aug 1996 12:13:56 +0200
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199608241013.MAA04792@gvr.win.tue.nl>
Subject: Re: [Fwd: mount bug..]
To: julian@whistle.com (Julian Elischer)
Date: Sat, 24 Aug 1996 12:13:55 +0200 (MET DST)
Cc: security@freebsd.org
In-Reply-To: <321DF44B.6201DD56@whistle.com> from Julian Elischer at "Aug 23, 96 11:11:23 am"
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Julian Elischer wrote:
> This doesn't work, but I'm wondering why it says it's for freeBSD..
> did it work on an earlier version? (even with bin replaced by sbin)
> 
> umount is not suid anyhow, but.....
> does anyone know about this?

Since they use umount to do the exploit I cannot imagine how they would
ever get a root shell....umount is not suid.

-Guido