Date: Wed, 11 Jul 2001 14:31:06 +0200 From: "Przemyslaw Frasunek" <venglin@freebsd.lublin.pl> To: "Seva Gluschenko" <gvs@rinet.ru>, "Bug Track" <bugtraq@securityfocus.com> Cc: <security@freebsd.org> Subject: Re: FreeBSD 4.3 local root Message-ID: <049201c10a05$5dc17bc0$2001a8c0@clitoris> References: <20010711121224.J96652-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> Well, after a bunch of tests I've found only two suids which gave me > suid shell: > /usr/bin/passwd > /usr/local/bin/ssh1 /usr/bin/su also works for me: riget:venglin:~> egrep -e execl vvfreebsd.c if(!execl("/usr/bin/su","su","szymon",0)) riget:venglin:~> ./v vvfreebsd. Written by Georgi Guninski shall jump to bfbffe72 child=57660 Password:done # id uid=0(root) gid=1001(users) groups=1001(users), 99(rexec) > So, quick workaround should be Quick workaround is to limit arguments, environment and filter non-ascii characters: http://www.frasunek.com/sources/security/rexec/ -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?049201c10a05$5dc17bc0$2001a8c0>