From owner-freebsd-security Thu Jul 12 12:58:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 22E5537B40C for ; Thu, 12 Jul 2001 12:58:22 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 88139 invoked from network); 12 Jul 2001 19:58:24 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 12 Jul 2001 19:58:24 -0000 Message-ID: <001201c10b0c$ffec16a0$97625c42@alexus> From: "alexus" To: "Fernando Gleiser" , "Portwood, Jason" Cc: References: <20010712163504.E20419-100000@cactus.fi.uba.ar> Subject: Re: FreeBSD 4.3 local root PREVENTIONS Date: Thu, 12 Jul 2001 15:58:20 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i've tryed this exploit on FBSD4.2-R and it didn't work and i've tryed it on 4.3-R i just compile it and run it.. or there is somethin else needs to be done? ----- Original Message ----- From: "Fernando Gleiser" To: "Portwood, Jason" Cc: Sent: Thursday, July 12, 2001 3:43 PM Subject: RE: FreeBSD 4.3 local root PREVENTIONS > On Thu, 12 Jul 2001, Portwood, Jason wrote: > > > > > > > > > > So simple things like going into all the folders and chmod'n > > > things is a very good idea for a lil extra security. > > > > > > along with copying /bin/sh to /tmp/ > > > and chmod 0 /tmp/sh > > > > > > > Wouldn't it be a better practice to just mount all the partitions that don't > > need suid as nosuid? Just off the top of my head those candidates would > > be > > Yes, it is a better practice, but in this case it doesn't help. The suid > binary you are exec(2)ing is in /bin. > > bash-2.03$ mount | grep tmp > /dev/ad2s2 on /tmp (ufs, local, nosuid) > ^^^^^^ > > bash-2.03$ ./a.out > vvfreebsd. Written by Georgi Guninski > shall jump to bfbffe72 > child=996 > login: # done > # id > uid=0(root) gid=1001(fgleiser) groups=1001(fgleiser) > > > Fer > > > > > /tmp > > /home > > /var > > > > Is there a good reason for not doing this? > > > > Jason Portwood > > jason@iac.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message