Date: Thu, 12 Jul 2001 10:42:09 +0400 From: Eugene Panenko <esp@agama.com> To: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> Cc: gvs@rinet.ru, bugtraq@securityfocus.com, security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root Message-ID: <20010712104209.71f6ae0a.esp@agama.com> In-Reply-To: <049201c10a05$5dc17bc0$2001a8c0@clitoris> References: <20010711121224.J96652-100000@localhost> <049201c10a05$5dc17bc0$2001a8c0@clitoris>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
/usr/bin/login works for me (tested under 4.2 & 4.3-RELEASE)
On Wed, 11 Jul 2001 14:31:06 +0200
"Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> wrote:
>> Well, after a bunch of tests I've found only two suids which gave me
>> suid shell:
>> /usr/bin/passwd
>> /usr/local/bin/ssh1
> /usr/bin/su also works for me:
riget:venglin:~>> egrep -e execl vvfreebsd.c
> if(!execl("/usr/bin/su","su","szymon",0))
riget:venglin:~>> ./v
> vvfreebsd. Written by Georgi Guninski
> shall jump to bfbffe72
> child=57660
> Password:done
> # id
> uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
>> So, quick workaround should be
> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
> http://www.frasunek.com/sources/security/rexec/
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Regards,
Eugene Panenko
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712104209.71f6ae0a.esp>