Bugtraq mailing list archives
Re: BSDi bugs
From: peiterz () bbn com (Peiter Zatko)
Date: Mon, 22 May 95 0:02:00 EDT
----- Forwarded message # 1: Message-Id: <199505210134.CAA03410 () bagpuss demon co uk> Subject: Re: BSDi bugs To: Scott Chasin <chasin () crimelab com> Date: Sun, 21 May 1995 02:34:40 +0100 (BST) Cc: bugtraq () fc net In-Reply-To: <199505200345.VAA03939 () crimelab com> from "Scott Chasin" at May 19, 95 09:45:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 428 Sender: owner-bugtraq () fc net Precedence: queue
Hey karl, do you know any bsdi bugs off hand? Or something to
too many!
exploit IDA ...
aye
Let me know m8 --s
-- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl () bagpuss demon co uk | ----- End of forwarded messages -------------------------------------------------------------------- Well, here's some info I found just briefly poking around: (please note this is for 1.1, I haven't checked 2.0 or 0.9 yet) The lpr bug is there (though BSDI has a patch on their ftp server). There is a denial of service [kernel] hole that BSDI plugged with a patch. I haven't looked into it but you should be able to figure it out by looking at their patch. I believe it's available on their ftp server as well [ftp.bsdi.com]. I've found that pipeing garbage to 'elvis' in /usr/contrib/bin can cause it to chew up tremendous amounts of cpu (which can lead to denial of service). I'll forward more complete results when I finish going through all of the contrib programs to make sure they behave. Also, the recover program for elvis runs suid root. Since what it does is take a temp file and write it out to another file I think you can see the possibilities here (haven't looked into that one either). elm is there along with autoreply in /usr/contrib but doesn't default to being used of course. There also seems to be a bug in the return values for ifconfig although it looks like everything is actually ok. It's just in one of the print statements. Again, I'll have to look through some old notes to figure out what values I plugged in to make this happen. Though I did mention it to BSDI support and never heard back. [I just looked through my notes and couldn't find it.] I believe that setting the netmask and then reading it (via ifconfig) you would get the incorrect values returned to you for certain inputs. I thought there was a 192 in there (C0), ie 255.255.192.0 comming back as ffff00c0 or something but I'm unable to check if that was actually it at this time. I'd be interested in what anybody else has found with BSDI. PeiterZ.
Current thread:
- Re: BSDi bugs Karl Strickland (May 20)
- Re: BSDi bugs Magneto (May 21)
- Re: BSDi bugs Neil Woods (May 21)
- <Possible follow-ups>
- Re: BSDi bugs Oliver Friedrichs (May 21)
- Re: BSDi bugs Peiter Zatko (May 21)
- Re: BSDi bugs Magneto (May 21)