RE: FreeBSD 4.3 local root

From: Jason DiCioccio (jdicioccio@epylon.com)
Date: 07/12/01 

From: Jason DiCioccio <jdicioccio@epylon.com>
To: 'Gabriel Rocha' <grocha@geeksimplex.org>, security@FreeBSD.ORG
Date: Thu, 12 Jul 2001 10:32:10 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

is the binary named 'vv' ?

It has to be.

Cheers,
- -JD-

- -------
Jason DiCioccio
Evil Genius
Unix BOFH

- -----Original Message-----
From: Gabriel Rocha [mailto:grocha@geeksimplex.org]
Sent: Thursday, July 12, 2001 10:30 AM
To: security@FreeBSD.ORG
Subject: Re: FreeBSD 4.3 local root

couple of points:
        1-It does not work for me;
                
                FreeBSD lorax.neutraldomain.org 4.3-RELEASE FreeBSD
                4.3-RELEASE #0: Sat Jun 23 01:52:58 PDT 2001
                root@lorax.neutraldomain.org:/usr/src/sys/compile/lorax
                i386

        2-At first I tried it with /tmp mounted no-exec (thats what i
        have in fstab) I thought that was why the exploit didnt work,
        remounted /tmp without the no-exec flag and tried again. It
        still does not work, it hangs for hours on end, this last
        iteration has been running for a couple days now and nothing has
        come of it.

Ideas on why it doesnt work? --gabe

,----[ On Thu, Jul 12, at 01:25PM, alexus wrote: ]--------------
| is there any fix for that?
|
| > > about how long does the exploit run before giving you a root
| > > shell?
| >
| > Immediately. Shellcode calls /tmp/sh, not /bin/sh, so copy it to
| > /tmp.
`----[ End Quote ]---------------------------

- --

"It's not brave if you're not scared."

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO03f81CmU62pemyaEQKK+ACg78KAtTLhEGg0tbNps3PuXud24O8An24G
9WUueCJDnIhGpUzQkscnwrKM
=Izj8
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: FreeBSD 4.3 local root
    ... Matt ... Subject: FreeBSD 4.3 local root ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • RE: FreeBSD 4.3 local root
    ... it sure didnt work for me that way.. ... Subject: FreeBSD 4.3 local root ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Racoon/sainfo - no policy found
    ... > I have a FreeBSD machine runing NAT, IPFilter, IPSec, ... > Racoon among other things. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Is the technique described in this article do-able with
    ... > I believe that when you "halt" FreeBSD the whole OS halts. ... you may not care about log info. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • RE: OpenSSH b0rked (was RE: Problems with IPFW patch)
    ... Just did that as per your suggestion. ... > You'd be better off running mergemaster anyway, ... > with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)