Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 Mar 2001 16:47:21 -0800 (PST)
From:      Dan Phoenix <dphoenix@bravenet.com>
To:        Chris Costello <chris@calldei.com>
Cc:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: easy way to crash freebsd
Message-ID:  <Pine.BSO.4.21.0103031637150.6427-100000@gandalf.bravenet.com>
In-Reply-To: <20010303122419.L2028@holly.calldei.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sat, 3 Mar 2001, Chris Costello wrote:

> Date: Sat, 03 Mar 2001 12:24:19 -0600
> From: Chris Costello <chris@calldei.com>
> To: Dan Phoenix <dphoenix@bravenet.com>
> Cc: freebsd-hackers@FreeBSD.ORG
> Subject: Re: easy way to crash freebsd
> 
> On Friday, March 02, 2001, Dan Phoenix wrote:
> > People asking me how this could be used as a local user.
> > Well i guess if you wanted to you could find something root runs
> > that writes to /tmp then umask resolv.conf
> > and echo "" > resolv.conf
> 
>    Could you expand on this, please?  What does finding a root
> utility that writes to /tmp have to do with umasking a file?
> (I've found it rather difficult to umask files in the past.)
> 
> -- 
> +-------------------+----------------------------+
> | Chris Costello    | I just found the last bug. |
> | chris@calldei.com |                            |
> +-------------------+----------------------------+
> 


Well one one the concepts is to umask 4777
then write as many tmp files to the tmp dir as you can symlinking to say
/etc/master.passwd....which would really do nothing i would
imagine...symlinking to spwd.db would prob be better. Afterwards you have
write perms to the file with whatever root wrote to it. I beleive that is
the basic concept....many of these have been fixed. BTW in no way do I
promote this....just explaining the concept.
 
[root@elrond dphoenix]# ls /tmp
commitlog*  elist.log  fcsignup.log  mysql.sock=  screens/
[root@elrond dphoenix]# 

for me shows this.....I guess in this case you could wait for root to
shutdown mysql and link that mysql.sock= to some database you want
overwritten. I am not sure if it works the same for socket files.
Best to ask one the unix gurus :)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0103031637150.6427-100000>