From owner-freebsd-security Thu Jul 31 09:23:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA18176 for security-outgoing; Thu, 31 Jul 1997 09:23:56 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA18171 for ; Thu, 31 Jul 1997 09:23:49 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA27641; Thu, 31 Jul 1997 12:20:04 -0400 (EDT) From: Adam Shostack Message-Id: <199707311620.MAA27641@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: <199707310301.MAA25307@genesis.atrad.adelaide.edu.au> from Michael Smith at "Jul 31, 97 12:31:46 pm" To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Thu, 31 Jul 1997 12:20:04 -0400 (EDT) Cc: gilbertp@videotron.com, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Michael Smith wrote: | Patrick Gilbert stands accused of saying: | > | > After a brief discussion with TheCa on Efnet, he dcc'd me his famous | > exploit for a transcript of | > his brief moment of fame on this discussion list. | | Oh, what a d00d. | | > execl("/usr/bin/sperl5.00403", | > "/usr/bin/sperl5.00403", buf, NULL); | > } | | This looks like a Linux exploit; there is no Perl5 in the FreeBSD tree, and | if it were installed from the port/package it would be in /usr/local/bin. This looks to me like a PERL5.004 exploit, not a linux exploit. Its just that the egg is the linux egg, not the FreeBSD egg. The egg code (nicely commented!) can be found in Leshka Zakharoff's ppp or cron overflows. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume