From owner-freebsd-security  Mon Apr  9 10: 8:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 72D7E37B423
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Apr 2001 10:08:09 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.2/8.11.2) id f39H7BM71365;
	Mon, 9 Apr 2001 10:07:11 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 9 Apr 2001 10:07:11 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200104091707.f39H7BM71365@earth.backplane.com>
To: Q Yai QQ <riki@unila.ac.id>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: local exploit 
References:  <Pine.BSF.4.21.0104091629450.1798-100000@maiser.unila.ac.id>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:hai guys.,.
:
:i wanna ask about Security of FreeBSD 3.4 and 4.x 
:
:on FreeBSD-3.4 there are local exploit that hack chpass 
:
:i am ever hacked by my user with local-exploit tha can setiud root.,.
:
:then i try to chmod o-x chpass 
:
:IT WORK !!! 
:others cannot exploit on my machines again
:
:but i never find local exploit for FreeBSD-4.1 version 
:
:are there big different that 4.1 more secure for exploit ??
:thank's
:...

    I think the original question got lost here.  Was there a security
    hole in chpass?

    The answer is:  Yes, there was!   A quick google search locates a copy
    of the advisory on www.google.com I searched for:

	'chpass advisory freebsd'

    and came up with:

	http://cert.uni-stuttgart.de/archive/bugtraq/2000/10/msg00448.html

    There was a root exploit found in July 2000 which was fixed
    in FreeBSD-4.0 in July 2000 and fixed in FreeBSD-3.5.1 in October 2000.
    So the answer is that by the time FreeBSD-4.1, this bug was
    long since fixed.

    My suggestion would be to upgrade the boxes to RELENG_4 (FreeBSD-4.x),
    or if you do not want to make that bug a leap at the very least 
    upgrade them to the latest RELENG_3 codebase (FreeBSD-3.5.1).

    In general, bug fixes always go into what we call the 'stable' release,
    which at the moment is RELENG_4 (FreeBSD-4.x).  FreeBSD-3.x is older
    and does not always get all the bug fixes, but it usually still gets 
    all the security fixes.  You still have to keep your codebase up to date,
    though.

    There have been other root exploits since 3.4.  Root exploits have been
    found in 'named', 'sshd', 'ntpd'.  Filesystem read-any-file bugs have been
    found in crontab, and I'm probably forgetting a few.  To be absolutely
    safe it is best to always track the latest -stable release, which at the
    moment is FreeBSD-4.x (4.3 is about to come out).  The easiest way to 
    track -stable is to learn how to use 'cvsup'.

					    -Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message