From owner-freebsd-security Thu Jul 12 12:54:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id 9C2BD37B403 for ; Thu, 12 Jul 2001 12:54:30 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GGD00F48LXDEA@mta4.rcsntx.swbell.net> for freebsd-security@freebsd.org; Thu, 12 Jul 2001 14:53:37 -0500 (CDT) Date: Thu, 12 Jul 2001 14:51:32 -0500 From: Ryan Subject: Re: FreeBSD 4.3 local root PREVENTIONS To: freebsd-security@freebsd.org Message-id: <000801c10b0c$0d830d10$45d8db40@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <20010712162140.N17358-100000@cactus.fi.uba.ar> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org true ;\ Try this running it in a chroot mkdir test cd test mkdir /tmp compile it exploit then run chroot /path_to/test ./vv see if that works to ----- Original Message ----- From: "Fernando Gleiser" To: "Ryan" Cc: Sent: Thursday, July 12, 2001 2:24 PM Subject: Re: FreeBSD 4.3 local root PREVENTIONS > On Thu, 12 Jul 2001, Ryan wrote: > > > another extra thing you can do is set the permissions on /bin/ > > like I have everything in there chmod 111 > > > > which would prevent copying > > bash-2.05$ cp /bin/sh /tmp/ > > cp: /bin/sh: Permission denied > > It doesn't help much, you can symlink /tmp/sh to /bin/sh. Or, as others > have noted, you can edit the shellcode to exec whatever you want.: > > bash-2.03$ ls -l /bin/sh > ---x--x--x 1 root wheel 446952 Apr 21 06:05 /bin/sh > bash-2.03$ ln -s /bin/sh /tmp/sh > bash-2.03$ ./a.out > vvfreebsd. Written by Georgi Guninski > shall jump to bfbffe72 > child=749 > login: done > # id > uid=0(root) gid=1001(fgleiser) groups=1001(fgleiser), 0(wheel) > # > > > > > > > > So simple things like going into all the folders and chmod'n things is a > > very good idea for a lil extra security. > > > > along with copying /bin/sh to /tmp/ > > and chmod 0 /tmp/sh > > > > Ryan > > ryanpek@swbell.net > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message