Bugtraq mailing list archives

Re: FreeBSD 4.3 local root

From: "Przemyslaw Frasunek" <venglin () freebsd lublin pl>
Date: Fri, 13 Jul 2001 15:19:37 +0200

http://www.frasunek.com/sources/security/rexec/

This workaround not complete, because it doesn't protect for the bug
exploitation. For example the attacker can send the shellcode via stdin
to the suid program. It's address can also be determined with removing
the suid bit from the program, and tracing it non-root.


Of course, rexec wasn't designed to protect from this vulnerability. It
protects from argument/environment based overflows and some formatting bugs.
Almost all such security enhancements are possible to bypass, but not by
script kiddies. Rexec tries to make exploiting local vulnerabilities harder.
Selective noexec feature prevents kiddies from running their exploits.

(BTW, rexec is generally a good idea, we like it)


Thanks. I'm using it on all of my boxes with user accounts.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

Current thread:

Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 11)
- Re: FreeBSD 4.3 local root Matias Sedalo (Jul 15)
- Re: FreeBSD 4.3 local root Foldi Tamas (Jul 15)
  - Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 15)