From owner-freebsd-security  Thu Feb 17  8:31:45 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id E5FF937B734; Thu, 17 Feb 2000 08:31:42 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id IAA37423;
	Thu, 17 Feb 2000 08:31:42 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Thu, 17 Feb 2000 08:31:42 -0800 (PST)
From: Kris Kennaway <kris@FreeBSD.org>
To: Omachonu Ogali <oogali@intranova.net>
Cc: Dmitry Valdov <dv@dv.ru>, Warner Losh <imp@village.org>,
	Brett Glass <brett@lariat.org>, Bill Fumerola <billf@chc-chimes.com>,
	Kuzak <kuzak@kuzak.net>, freebsd-security@FreeBSD.ORG
Subject: Re: Doscmd 
In-Reply-To: <Pine.BSF.4.10.10002171030240.91789-100000@hydrant.intranova.net>
Message-ID: <Pine.BSF.4.21.0002170823140.36740-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 17 Feb 2000, Omachonu Ogali wrote:

> Well, If you're su'ing to get to use it, what's the purpose of the
> exploit? Another nifty shell?

I talked to the packetstorm guy and he said this exploit was intended for
pre-3.2 versions of FreeBSD which has doscmd setgid kmem (prior to rev
1.13.2.2 of the makefile). If you're still running an old version you
should remove the setgid bit.

The umount "exploit" was in case the admin had made umount setugid so
users can mount volumes (instead of the correct way, sysctl -w
vfs.usermount = 1). I haven't verified whether this exploit actually does
anything.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message