From owner-freebsd-hackers Fri Aug 1 18:51:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA25028 for hackers-outgoing; Fri, 1 Aug 1997 18:51:56 -0700 (PDT) Received: from terror.hungry.com (fn@terror.hungry.com [169.131.1.215]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA25023 for ; Fri, 1 Aug 1997 18:51:54 -0700 (PDT) Received: (from fn@localhost) by terror.hungry.com (8.8.6/8.8.4) id SAA08923; Fri, 1 Aug 1997 18:51:32 -0700 (PDT) To: tom@sdf.com (Tom Samplonius) Cc: freebsd-hackers@freebsd.org Subject: Re: security hole on FreeBSD 2.2.2 References: From: Faried Nawaz Date: 01 Aug 1997 18:51:31 -0700 In-Reply-To: tom@sdf.com's message of 1 Aug 1997 18:34:08 -0700 Message-ID: Lines: 40 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk tom@sdf.com (Tom Samplonius) writes: On Fri, 1 Aug 1997, Ben Black wrote: > exactly. i have no clue what this guy is talking about. Exactly. It looks like this guy installed some bogus software, probably setuid to root, that has a gaping hole in it. Tom The "bogus" software is called suidperl. There are known exploits for it that'll work on 2.2.2-RELEASE: % ls -li sperl4036 /usr/bin/suidperl /usr/bin/sperl4.036 7749 ---s--x--x 2 root bin 282624 May 20 03:32 /usr/bin/sperl4.036 7749 ---s--x--x 2 root bin 282624 May 20 03:32 /usr/bin/suidperl 184410 -rwx------ 1 fn user 8846 Aug 1 18:43 sperl4036 % id uid=297(fn) gid=29(user) groups=29(user), 0(wheel), 7(bin) % ./sperl4036 # id uid=297(fn) euid=0(root) gid=29(user) groups=29(user), 0(wheel), 7(bin) # exit % uname -r 2.2.2-RELEASE % For obvious reasons, I won't be posting the exploit. Note that a similar exploit exists for certain versions of Perl 5. Your choices are: 1. remove the suid bit on sperl4.036, and 2. upgrade to 2.2-STABLE. faried. -- faried nawaz box 3582, moscow id 83843-1914