Date: Thu, 12 Jul 2001 10:42:09 +0400 From: Eugene Panenko <esp@agama.com> To: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> Cc: gvs@rinet.ru, bugtraq@securityfocus.com, security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root Message-ID: <20010712104209.71f6ae0a.esp@agama.com> In-Reply-To: <049201c10a05$5dc17bc0$2001a8c0@clitoris> References: <20010711121224.J96652-100000@localhost> <049201c10a05$5dc17bc0$2001a8c0@clitoris>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, /usr/bin/login works for me (tested under 4.2 & 4.3-RELEASE) On Wed, 11 Jul 2001 14:31:06 +0200 "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> wrote: >> Well, after a bunch of tests I've found only two suids which gave me >> suid shell: >> /usr/bin/passwd >> /usr/local/bin/ssh1 > /usr/bin/su also works for me: riget:venglin:~>> egrep -e execl vvfreebsd.c > if(!execl("/usr/bin/su","su","szymon",0)) riget:venglin:~>> ./v > vvfreebsd. Written by Georgi Guninski > shall jump to bfbffe72 > child=57660 > Password:done > # id > uid=0(root) gid=1001(users) groups=1001(users), 99(rexec) >> So, quick workaround should be > Quick workaround is to limit arguments, environment and filter non-ascii > characters: > http://www.frasunek.com/sources/security/rexec/ > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Regards, Eugene Panenko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712104209.71f6ae0a.esp>