Date: Sat, 1 Mar 1997 13:38:47 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: dec@phoenix.its.rpi.edu (David E. Cross) Cc: hackers@freebsd.org Subject: Re: crt0.o hole... Message-ID: <Mutt.19970301133847.j@uriah.heep.sax.de> In-Reply-To: <199702260711.CAA04697@phoenix.its.rpi.edu>; from David E. Cross on Feb 26, 1997 02:11:14 -0500 References: <199702260711.CAA04697@phoenix.its.rpi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
As David E. Cross wrote:
> I am finally getting arround to patching that hole... could someone tell me
> where a sample exploit program is? The one that was originally used against
> me was "crtbsd". I just want to make sure that I got it right.
The exploit isn't that simple, since you need to dump i386 binary code
onto a very specific part of the overflown stack array.
However, if you've made sure that you have removed all traces of
ENABLE_STARTUP_LOCALE, and you have removed the getenv("LOCALE_PATH")
in libc, you can be sure to have plugged that hole. The latter is
basically needed to ensure older but shared linked binaries also
benefit from the change.
You must make absolutely sure that you don't have any setuid or setgid
old (FreeBSD 2.1 through 2.1.6.1) binaries around that are statically
linked. Extend this to non-set[ug]id binaries as well if you've got
setuid wrappers around (suidperl, sudo etc.).
file /usr/X11R6/bin/* /usr/local/bin/* /usr/local/sbin/* \
/usr/local/libexec/*| fgrep -v dynamically | fgrep -v script |\
fgrep -v 'commands text' | fgrep -v 'symbolic link'
--
cheers, J"org
joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19970301133847.j>