From owner-freebsd-security Thu Jul 12 10:30: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from dandelion.geeksimplex.org (cc53440-a.catv1.md.home.com [24.18.90.197]) by hub.freebsd.org (Postfix) with ESMTP id A9DC637B407 for ; Thu, 12 Jul 2001 10:29:54 -0700 (PDT) (envelope-from icognito@geeksimplex.org) Received: from icognito by dandelion.geeksimplex.org with local (Exim 3.22 #1 (Debian)) id 15KkHh-00011J-00 for ; Thu, 12 Jul 2001 13:29:53 -0400 Date: Thu, 12 Jul 2001 13:29:53 -0400 From: Gabriel Rocha To: security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root Message-ID: <20010712132953.C1020@geeksimplex.org> Mail-Followup-To: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001f01c10af7$9b42f120$97625c42@alexus> User-Agent: Mutt/1.3.18i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org couple of points: 1-It does not work for me; FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001 root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax i386 2-At first I tried it with /tmp mounted no-exec (thats what i have in fstab) I thought that was why the exploit didnt work, remounted /tmp without the no-exec flag and tried again. It still does not work, it hangs for hours on end, this last iteration has been running for a couple days now and nothing has come of it. Ideas on why it doesnt work? --gabe ,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]-------------- | is there any fix for that? | | > > about how long does the exploit run before giving you a root shell? | > | > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to /tmp. `----[ End Quote ]--------------------------- -- "It's not brave if you're not scared." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message