From owner-freebsd-security  Mon Jul 12 16:44: 6 1999
Delivered-To: freebsd-security@freebsd.org
Received: from zip.com.au (zipper.zip.com.au [203.12.97.1])
	by hub.freebsd.org (Postfix) with ESMTP id A53FC1509A
	for <security@FreeBSD.ORG>; Mon, 12 Jul 1999 16:44:01 -0700 (PDT)
	(envelope-from ncb@zip.com.au)
Received: from localhost (ncb@localhost)
	by zip.com.au (8.9.1/8.9.1) with ESMTP id JAA05538;
	Tue, 13 Jul 1999 09:43:53 +1000
Date: Tue, 13 Jul 1999 09:43:52 +1000 (EST)
From: Nicholas Brawn <ncb@zip.com.au>
To: Mike Tancsa <mike@sentex.net>
Cc: security@FreeBSD.ORG
Subject: Re: 3.x backdoor rootshell security hole
In-Reply-To: <4.1.19990712080116.053e4430@granite.sentex.ca>
Message-ID: <Pine.LNX.4.05.9907130941420.5140-100000@zipper.zip.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 12 Jul 1999, Mike Tancsa wrote:

> Has anyone looked at the articled below ? Here is a quote,
> 
> "The following module was a nice idea I had when playing around with the
> proc structure. Load this module, and you can 'SU' without a password. The
> idea is very simple. The module implements a system call that gets one
> argument : a PID. This can be the PID of any process, but will normally be
> the PID of your user account shell (tcsh, sh, bash or whatever). This
> process will then become root (UID 0) by manipulating its cred structure.
> Here we go : "

If an unauthorised individual can get far enough to load rogue modules,
then you have far more important security issues to address first.

Nick



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message