From owner-freebsd-security  Wed Jul 11 23:42:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.agama.com (smtp.agama.com [195.239.248.3])
	by hub.freebsd.org (Postfix) with ESMTP id 7E61F37B403
	for <security@FreeBSD.ORG>; Wed, 11 Jul 2001 23:42:34 -0700 (PDT)
	(envelope-from esp@agama.com)
Received: from esp.agama.com (esp.agama.com [195.239.248.33])
	by smtp.agama.com (8.11.3/8.11.0) with SMTP id f6C6guv10681;
	Thu, 12 Jul 2001 10:42:59 +0400 (MSD)
Date: Thu, 12 Jul 2001 10:42:09 +0400
From: Eugene Panenko <esp@agama.com>
To: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
Cc: gvs@rinet.ru, bugtraq@securityfocus.com, security@FreeBSD.ORG
Subject: Re: FreeBSD 4.3 local root
Message-Id: <20010712104209.71f6ae0a.esp@agama.com>
In-Reply-To: <049201c10a05$5dc17bc0$2001a8c0@clitoris>
References: <20010711121224.J96652-100000@localhost>
	<049201c10a05$5dc17bc0$2001a8c0@clitoris>
X-Mailer: stuphead ver. 0.5.3 (Wiskas) (GTK+ 1.2.7; FreeBSD 4.3-RELEASE; i386)
Organization: ROL Holdings
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

/usr/bin/login works for me (tested under 4.2 & 4.3-RELEASE)

On Wed, 11 Jul 2001 14:31:06 +0200
"Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> wrote:

>> Well, after a bunch of tests I've found only two suids which gave me
>> suid shell:
>> /usr/bin/passwd
>> /usr/local/bin/ssh1

> /usr/bin/su also works for me:

riget:venglin:~>> egrep -e execl vvfreebsd.c
> if(!execl("/usr/bin/su","su","szymon",0))

riget:venglin:~>> ./v
> vvfreebsd. Written by Georgi Guninski
> shall jump to bfbffe72
> child=57660
> Password:done
> # id
> uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)

>> So, quick workaround should be

> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:

> http://www.frasunek.com/sources/security/rexec/

> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--
Regards,
    Eugene Panenko

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message