Date: Tue, 15 Sep 2009 17:02:15 -0700 From: Xin LI <delphij@delphij.net> To: utisoft@googlemail.com Cc: freebsd-security@freebsd.org, Frederique Rijsdijk <frederique@isafeelin.org> Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) Message-ID: <4AB02B07.8050404@delphij.net> In-Reply-To: <0016e6d99efa540b8b047399738b@google.com> References: <0016e6d99efa540b8b047399738b@google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 utisoft@googlemail.com wrote: > It appears to only affect 6.x.... and requires local access. If an > attacker has local access to a machine you're screwed anyway. 'local' here means login as a local user, i.e. ssh/telnet/etc, not console access which seems to be what you mean by 'local access'. Note that, in order to successfully exploit this vulnerability, a remote attacker still need someone or something to run the code on their behalf, typically this would have to be used in conjunction with some other remote vulnerability (i.e. some popular remote admin tool that allows you to upload and run something on web server's context, etc). We are still working on this one, it looks like that we would need to patch some other problems altogether. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqwKwcACgkQi+vbBBjt66BtawCgsDhrON8DzvX7A6M1O37A2Qw6 /54An0CAgPeTTJcJKcdkVWcF9qX0FVuY =EeKO -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB02B07.8050404>