Date: Sun, 17 Nov 1996 17:09:27 +0100 (MET) From: Wolfgang Ley <ley@cert.dfn.de> To: ewb@zns.net (Will Brown) Cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <199611171609.RAA13620@tiger.cert.dfn.de> In-Reply-To: <199611171551.KAA09581@selway.i.com> from "Will Brown" at Nov 17, 96 10:51:03 am
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Will Brown wrote: > > FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On > Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give > root privilege. Assume this is due to restrictions in Solaris on > executing setuid root programs outside of certain directories? Perhaps > that defense can be easily overcome, or is it a good last line of > defense? Why not a similar defense in FreeBSD? > > My apologies if this has been hashed over already. > > Obviously not good in any case. The exploit does work on Solaris (as you see the shell with the setuid root is created). Is doesn't matter if starting that shell will give you a root shell or not because you already managed to execute a program with root privs. The setuid /tmp/sh fails because either /tmp is mounted nosuid (it's always a good idea to mount all user-writable dirs like /tmp, /var etc. nosuid) or you just have ti use the "-p" switch to avoid restting the userid while starting a setuid shell (see "man sh"). Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo84nAQmfXmOCknRAQGA3wP+OtitdGU/tPRYqyRaWwzUun2esGmZC5tU WMqBrOzjmlLntcQ0kRm/MSlTHIIHSfu4piA3PMoNHwyPKESTaIUQoYj/Wpy5xqSr v4SWLd0ZImgjp2eNH/yxyz1EH+iD/dBylZm+qeFUUteFANwuxp7EbZKWiOjFM8p0 GQcwVwSzg5E= =fyTX -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611171609.RAA13620>