Hello Georgi,
Tuesday, July 10, 2001, 5:17:31 PM, you wrote:
GG> Georgi Guninski security advisory #48, 2001
GG> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
GG> Systems affected:
GG> FreeBSD 4.3 and probably earlier versions.
Successfully works also at
> >> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
>
> PF> This problem was already reported to FreeBSD Security Officer about two
> PF> months ago, but it was totally ignored.
>
> This problem has fixed and the exploit didn't work for las
> >> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
>
> PF> This problem was already reported to FreeBSD Security Officer about
two
> PF> months ago, but it was totally ignored.
>
> This problem has fixed and the exploit didn't work for las
> > http://www.frasunek.com/sources/security/rexec/
> This workaround not complete, because it doesn't protect for the bug
> exploitation. For example the attacker can send the shellcode via stdin
> to the suid program. It's address can also be determined with removing
> the suid bit from the prog
FreeBSD xxx.org 5.0-20010415-CURRENT FreeBSD
5.0-20010415-CURRENT #0: Sun Apr 15 15:53:33 GMT 2001
[EMAIL PROTECTED]:/usr/src/sys/compile/GENERIC i386
Thiz version is affected too...
***$$$### " I moze bardzo wielu nie zrozumie tych slow...
Ale nie ma litosci dla SKURWYSY
> Quick workaround is to limit arguments, environment and filter non-ascii
> characters:
>
> http://www.frasunek.com/sources/security/rexec/
This workaround not complete, because it doesn't protect for the bug
exploitation. For example the attacker can send the shellcode via stdin
to the suid p
one@c0d4:/usr/home/c0d4$ uname
FreeBSD one.xxx.com.ar 4.1-RELEASE FreeBSD 4.1-RELEASE
one@c0d4:/usr/home/c0d4$ ./sig2
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe89
child=1371
login: # done
# id
uid=1000(c0d4) euid=0(root) gid=20(staff) groups=20(staff)
#
and with : /usr/bin/chfn
On Tue, Jul 10, 2001 at 08:12:30PM +0200, Przemyslaw Frasunek wrote:
> > FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
>
> This problem was already reported to FreeBSD Security Officer about two
> months ago, but it was totally ignored.
Sorry about that: c
> This problem has fixed and the exploit didn't work for last
> 4.3-RELEASE FreeBSD.
Exploit *works* even for 4.3-STABLE, before correction date (2 Jul 2001):
riget:venglin:~> ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root) gid=1001(use
> Well, after a bunch of tests I've found only two suids which gave me
> suid shell:
> /usr/bin/passwd
> /usr/local/bin/ssh1
/usr/bin/su also works for me:
riget:venglin:~> egrep -e execl vvfreebsd.c
if(!execl("/usr/bin/su","su","szymon",0))
riget:venglin:~> ./v
vvfreebsd. Written by Georgi G
Przemyslaw Frasunek wrote:
>
> > FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
>
> This problem was already reported to FreeBSD Security Officer about two
> months ago, but it was totally ignored.
>
If this is the case I don't understand why you
Çäðàâñòâóéòå, Przemyslaw.
Âû ïèñàëè âòîðíèê, 10 èþëÿ 2001 ã., 21:12:30:
>> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
PF> This problem was already reported to FreeBSD Security Officer about two
PF> months ago, but it was totally ignored.
This problem has f
> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
This problem was already reported to FreeBSD Security Officer about two
months ago, but it was totally ignored.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] **
Georgi Guninski security advisory #48, 2001
FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
Systems affected:
FreeBSD 4.3 and probably earlier versions.
Risk: High
Date: 10 July 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski.
You may distribute it
14 matches
Mail list logo