Date: Sun, 17 Nov 1996 11:18:39 -0500 (EST) From: Adam Shostack <adam@homeport.org> To: ewb@zns.net (Will Brown) Cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <199611171618.LAA02721@homeport.org> In-Reply-To: <199611171551.KAA09581@selway.i.com> from Will Brown at "Nov 17, 96 10:51:03 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Will Brown wrote: | FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On | Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give | root privilege. Assume this is due to restrictions in Solaris on | executing setuid root programs outside of certain directories? Perhaps | that defense can be easily overcome, or is it a good last line of | defense? Why not a similar defense in FreeBSD? I think theres code in the shipped solaris shells that causes them to switch uid back to that of the invoker when they are setuid. This is a slick defense against exploit scripts, but it doesn't take that much to work around it. My prefered method is to use a tcsh binary that doesn't have the defence instead of /bin/sh. On another note, how about qmail replacing sendmail? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611171618.LAA02721>