From owner-freebsd-security  Thu Jul 12 12:26:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 01E1F37B403
	for <security@FreeBSD.ORG>; Thu, 12 Jul 2001 12:26:02 -0700 (PDT)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f6CJO2L20204;
	Thu, 12 Jul 2001 16:24:04 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Thu, 12 Jul 2001 16:24:02 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: Ryan <ryanpek@swbell.net>
Cc: <security@FreeBSD.ORG>
Subject: Re: FreeBSD 4.3 local root PREVENTIONS
In-Reply-To: <002401c10afc$ffcc9b00$45d8db40@mhx800>
Message-ID: <20010712162140.N17358-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 12 Jul 2001, Ryan wrote:

> another extra thing you can do is set the permissions on /bin/
> like I have everything in there chmod 111
>
> which would prevent copying
> bash-2.05$ cp /bin/sh /tmp/
> cp: /bin/sh: Permission denied

It doesn't help much, you can symlink /tmp/sh to /bin/sh. Or, as others
have noted, you can edit the shellcode to exec whatever you want.:

bash-2.03$ ls -l /bin/sh
---x--x--x  1 root  wheel  446952 Apr 21 06:05 /bin/sh
bash-2.03$ ln -s /bin/sh /tmp/sh
bash-2.03$ ./a.out
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=749
login: done
# id
uid=0(root) gid=1001(fgleiser) groups=1001(fgleiser), 0(wheel)
#




>
> So simple things like going into all the folders and chmod'n things is a
> very good idea for a lil extra security.
>
> along with copying /bin/sh to /tmp/
> and chmod 0 /tmp/sh
>
> Ryan
> ryanpek@swbell.net
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message