From owner-freebsd-stable Mon Jul 12 7:57:32 1999 Delivered-To: freebsd-stable@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 7F34114C56; Mon, 12 Jul 1999 07:57:27 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com by peach.ocn.ne.jp (8.9.1a/OCN) id XAA24995; Mon, 12 Jul 1999 23:57:05 +0900 (JST) Message-ID: <378A015B.2CBE0569@newsguy.com> Date: Mon, 12 Jul 1999 23:53:15 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: pt-BR,ja MIME-Version: 1.0 To: Mike Tancsa Cc: security@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: 3.x backdoor rootshell security hole References: <4.1.19990712080116.053e4430@granite.sentex.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mike Tancsa wrote: > > Has anyone looked at the articled below ? Here is a quote, > > "The following module was a nice idea I had when playing around with the > proc structure. Load this module, and you can 'SU' without a password. The > idea is very simple. The module implements a system call that gets one > argument : a PID. This can be the PID of any process, but will normally be > the PID of your user account shell (tcsh, sh, bash or whatever). This > process will then become root (UID 0) by manipulating its cred structure. > Here we go : " All of the article assumes you have got into root first. Once you get root, you can do anything. The article just shows how. Or, more to the point, the article doesn't show *any* exploit. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org I'm one of those bad things that happen to good people. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message