From owner-freebsd-security Thu Jul 12 13:14: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mdma.playboy.com (mdma.playboy.com [216.163.140.20]) by hub.freebsd.org (Postfix) with ESMTP id 2DC7537B403 for ; Thu, 12 Jul 2001 13:13:57 -0700 (PDT) (envelope-from jamie@playboy.com) Received: by mdma.playboy.com (Postfix, from userid 100) id D38851279A; Thu, 12 Jul 2001 15:13:38 -0500 (CDT) Date: Thu, 12 Jul 2001 15:13:38 -0500 From: jamie rishaw To: alexus Cc: Gabriel Rocha , Mike Tancsa , security@freebsd.org Subject: Re: FreeBSD 4.3 local root Message-ID: <20010712151338.G14782@playboy.com> References: <001f01c10af7$9b42f120$97625c42@alexus> <5.1.0.14.0.20010712132715.035c48a0@marble.sentex.ca> <001801c10b0e$1976d370$97625c42@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001801c10b0e$1976d370$97625c42@alexus>; from ml@db.nexgen.com on Thu, Jul 12, 2001 at 04:06:12PM -0400 X-No-Archive: yes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No offense, guys, but I'm sure a lot of us have better things to do than to read status reports from people across the Internet on whether or not an exploit worked for them. Patch your systems. Maintain security. Dont add untrusted users. Best regards.. /jr On Thu, Jul 12, 2001 at 04:06:12PM -0400, alexus wrote: > doesn't work for me on 4.2R > > ----- Original Message ----- > From: "Mike Tancsa" > To: "Gabriel Rocha" > Cc: > Sent: Thursday, July 12, 2001 1:28 PM > Subject: Re: FreeBSD 4.3 local root > > > > > > Is the program called vv or a.out ? > > > > As a non priv user, try this > > > > cp /bin/sh /tmp/sh > > gcc exploitcode.c -o vv > > ./vv > > > > > > ---Mike > > > > > > At 01:29 PM 7/12/01 -0400, Gabriel Rocha wrote: > > >couple of points: > > > 1-It does not work for me; > > > > > > FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD > > > 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001 > > > root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax > > > i386 > > > > > > 2-At first I tried it with /tmp mounted no-exec (thats what i > > > have in fstab) I thought that was why the exploit didnt work, > > > remounted /tmp without the no-exec flag and tried again. It > > > still does not work, it hangs for hours on end, this last > > > iteration has been running for a couple days now and nothing has > > > come of it. > > > > > >Ideas on why it doesnt work? --gabe > > > > > > > > >,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]-------------- > > >| is there any fix for that? > > >| > > >| > > about how long does the exploit run before giving you a root shell? > > >| > > > >| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to > /tmp. > > >`----[ End Quote ]--------------------------- > > > > > >-- > > > > > >"It's not brave if you're not scared." > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- jamie rishaw sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny. dance like it hurts. love like you need money. work when people are watching. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message