Bugtraq mailing list archives

Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)

From: bright () WINTELCOM NET (Alfred Perlstein)
Date: Sat, 10 Jun 2000 13:40:17 -0700


* sector x <sectorx () DIGITALPHOBIA COM> [000610 13:10] wrote:

Here is a freebsd port of noir's cdrecord buffer overflow.
have you noticed cdrecord is very often suid root on many
systems? :)

--sectorx

-- snip snip --

/* freebsd cdrecord exploit port by sectorx of XOR


[*yawn* *snip*]

But it's _not_ suid on FreeBSD:

~ % ls -l /usr/local/bin/cdrecord
-r-xr-xr-x  1 root  wheel  161244 May 20 04:31 /usr/local/bin/cdrecord

Cute but useless.  Any program that encourages users to suid it
root and allows arbritary devices to be accessed over the scsi bus
needs to be taken out back and shot, twice.  Any vendor that ships
it that way, three times.

The exploit presented here is akin to writing a sploit for /bin/sh
that only works if it's suid.

--
-Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org]
"I have the heart of a child; I keep it in a jar on my desk."

Current thread:

Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) Jeff Garzik (May 31)
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) noir (May 30)
- <Possible follow-ups>
- Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) sector x (Jun 10)
  - Re: Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2) Alfred Perlstein (Jun 10)