Re: BSDi bugs

[peiterz () bbn com (Peiter Zatko)]

----- Forwarded message # 1:

Message-Id: <199505210134.CAA03410 () bagpuss demon co uk>
Subject: Re: BSDi bugs
To: Scott Chasin <chasin () crimelab com>
Date: Sun, 21 May 1995 02:34:40 +0100 (BST)
Cc: bugtraq () fc net
In-Reply-To: <199505200345.VAA03939 () crimelab com> from "Scott Chasin" at May 19, 95 09:45:55 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 428       
Sender: owner-bugtraq () fc net
Precedence: queue

> Hey karl,
>
> do you know any bsdi bugs off hand?  Or something to

too many!

> exploit IDA ...

aye

> Let me know m8
>
> --s


-- 
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |

----- End of forwarded messages

--------------------------------------------------------------------
Well, here's some info I found just briefly poking around:

(please note this is for 1.1, I haven't checked 2.0 or 0.9 yet)

The lpr bug is there (though BSDI has a patch on their ftp server).

There is a denial of service [kernel] hole that BSDI plugged with a patch. 
I haven't looked into it but you should be able to figure it out by 
looking at their patch. I believe it's available on their ftp 
server as well [ftp.bsdi.com].

I've found that pipeing garbage to 'elvis' in /usr/contrib/bin can cause it
to chew up tremendous amounts of cpu (which can lead to denial of service).
I'll forward more complete results when I finish going through all of the 
contrib programs to make sure they behave.

Also, the recover program for elvis runs suid root. Since what it does is
take a temp file and write it out to another file I think you can see the
possibilities here (haven't looked into that one either). 

elm is there along with autoreply in /usr/contrib but doesn't 
default to being used of course.

There also seems to be a bug in the return values for ifconfig although it looks
like everything is actually ok. It's just in one of the print statements.
Again, I'll have to look through some old notes to figure out what values I
plugged in to make this happen. Though I did mention it to BSDI support and
never heard back.

[I just looked through my notes and couldn't find it.] I believe that setting
the netmask and then reading it (via ifconfig) you would get the incorrect
values returned to you for certain inputs. 
I thought there was a 192 in there (C0), ie 255.255.192.0 comming back as
ffff00c0 or something but I'm unable to check if that was actually it at
this time.

I'd be interested in what anybody else has found with BSDI.

PeiterZ.