From owner-freebsd-security  Mon Jul 15 05:56:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id FAA04861
          for security-outgoing; Mon, 15 Jul 1996 05:56:12 -0700 (PDT)
Received: from umbc7.umbc.edu (pauld@f-umbc7.umbc.edu [130.85.3.7])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA04855
          for <freebsd-security@freebsd.org>; Mon, 15 Jul 1996 05:56:08 -0700 (PDT)
Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id IAA23804; Mon, 15 Jul 1996 08:56:04 -0400
Date: Mon, 15 Jul 1996 08:56:04 -0400 (EDT)
From: Paul Danckaert <pauld@umbc.edu>
To: jbhunt <jbhunt@mercury.gaianet.net>
cc: freebsd-security@freebsd.org, root@mercury.gaianet.net
Subject: Re: New EXPLOIT located!
In-Reply-To: <Pine.BSF.3.91.960714212321.1806A-300000@mercury.gaianet.net>
Message-ID: <Pine.SGI.3.91.960715085258.23456A@umbc7.umbc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Thats the exact exploit posted days ago to Bugtraq, line for line.  It 
was verified to work on most of the different BSD-based Oses.

To get around it, strip the suid bit off, or run the USC rdist, which 
doesn't care about the suid bit.  We run it here since, in addition to 
not being suid root, we can use it easily with ssh for doing (more) 
secure rdists..

The normal policy we use when setting up machines here is to do a find 
for suid and sgid files on the system.  Pick off the essential ones, and 
strip the bits off any others.  Its saved us from several irix and sun 
holes in the past.. and one or two bsd ones now too.


paul