Re: fts, du, find

[venglin () GADACZKA DHS ORG (Przemyslaw Frasunek)]

> 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.

Yes, I've tested it on 3.1-STABLE.

> I have no exploit and probably will no have a free time (I think
> 3 days is more than enough) for doing it, but I beleive it is
> possible to exploit this bug using carefully designed directory
> tree to execute arbitrary commands as root during
> /etc/daily->/etc/security->find.
> REMOTE ROOT EXPLOIT (POSSIBLE).

I think, that it will be hard to write an exploit. I've tested it on
my 2.2.8-RELEASE at home.

'Find' segfaults, when it tries to do:

  (void)puts(entry->fts_path);

because of junk pointer to structure 'entry'. IMHO it _always_
points to 0x200291d6, so it tries to execute (IMHO) _always_ the
same commands:

0x200291d6 <puts+34>:   repnz scasb %es:(%edi),%al
0x200291d7 <puts+35>:   scasb  %es:(%edi),%al
0x200291d8 <puts+36>:   movl   %ecx,%eax
0x200291d9 <puts+37>:   enter  $0xd0f7,$0x89
0x200291da <puts+38>:   notl   %eax
0x200291db <puts+39>:   rorb   0x488de455(%ecx)
0x200291dc <puts+40>:   movl   %edx,0xffffffe4(%ebp)
0x200291dd <puts+41>:   pushl  %ebp
0x200291de <puts+42>:   inb    $0x8d,%al
0x200291df <puts+43>:   leal   0xffffffff(%eax),%ecx
0x200291e0 <puts+44>:   decl   %eax
0x200291e1 <puts+45>:   decl   0x938de84d(%ecx)
0x200291e2 <puts+46>:   movl   %ecx,0xffffffe8(%ebp)
0x200291e3 <puts+47>:   decl   %ebp
0x200291e4 <puts+48>:   call   0xc1532576 <end+2705991902>

and here it segfaults.

--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin () lagoon freebsd org pl ** PGP:D48684904685DF43EA93AFA13BE170BF *