Bugtraq mailing list archives
Re: cfs-1.4.0beta2 root exploitable bug
From: therapy () guardian htu tuwien ac at (ther)
Date: Sat, 21 Feb 1998 18:18:44 +0100
On Sat, 21 Feb 1998, ther wrote:
process.. for example mmaping /proc/<cfsdpid>/mem to memory and change the code. cfsd seteuid's itself to root again after the file access and
after a setreuid call the process is marked as undumpable under linux - so
the programm code can't be modified, as i said (cause undumpable
processes are not inserted in the proc tree) but it still could be killed
with a signal..
btw: the patch i posted works (it can't be killed by a user anymore), but
i forgot the #else statment.
--- cfs.h~ Sat Feb 21 18:14:03 1998
+++ cfs.h Sat Feb 21 17:53:08 1998
@@ -200,8 +200,13 @@
#define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE |
ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)):\
(setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) ||
setuidx(ID_EFFECTIVE|ID_REAL, ruid(x))))
#else
+#ifdef linux
+#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
+ (setfsgid(rgid(x)) || setfsuid(ruid(x))))
+#else
#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
(setegid(rgid(x)) || seteuid(ruid(x))))
+#endif
#endif
#define keyof(f) (&((f)->ins->key))
#define vectof(f) ((f)->vect)
this patch is against
ftp://ftp.funet.fi/pub/crypt/utilities/file/cfs.1.4.0.beta2.tar.gz
bye,
therapy
Current thread:
- Fw: tetex-0.4pl8 world-writable database Micha? Zalewski (Feb 20)
- Re: Fw: tetex-0.4pl8 world-writable database Marcin Cieslak (Feb 20)
- Pipe attack - an example Micha? Zalewski (Feb 20)
- cfs-1.4.0beta2 root exploitable bug ther (Feb 20)
- WinGate DoS Matt Carothers (Feb 21)
- Quick update on Radius bug Phillip R. Jaenke (Feb 21)
- Workaround for radius bug Phillip R. Jaenke (Feb 21)
- Re: cfs-1.4.0beta2 root exploitable bug ther (Feb 21)
- resource starvation against passwd(1) Antonomasia (Feb 22)
- RADIUS (Summary) Aleph One (Feb 22)
- Re: RADIUS (Summary) Dave Stewart (Feb 22)
- Re: RADIUS (Summary) Phillip R. Jaenke (Feb 22)
- Re: RADIUS (Summary) Josh Richards (Feb 22)