by redmail.netbsd.org with SMTP; 27 Aug 1999 14:38:05 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id QAA06007;
	Fri, 27 Aug 1999 16:38:03 +0200 (MEST)
Date: Fri, 27 Aug 1999 16:38:03 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: "Todd C. Miller" <Todd.Miller@courtesan.com>
Cc: tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
Message-ID: <19990827163803.A483@antioche.lip6.fr>
References: <19990827115805.A4542@antioche.lip6.fr> <19990827123116.A345@antioche.lip6.fr> <199908271422.IAA05497@xerxes.cs.colorado.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199908271422.IAA05497@xerxes.cs.colorado.edu>; from Todd C. Miller on Fri, Aug 27, 1999 at 08:22:07AM -0600

On Fri, Aug 27, 1999 at 08:22:07AM -0600, Todd C. Miller wrote:
> But isn't the real issue simply that core dumps are following a
> symlink?  I tried this on OpenBSD-current and didn't have any luck
> getting the exploit to work (maybe I didn't try hard enough).

Yes it is. I suspect this has been disabled in OpenBSD. Maybe older versions
of OpenBSD are vulnerable ?

I've a patch which prevent symlinks from being followed if the owner of
the symlink (or existing file) is not the same as the process.

> 
> I suspect that the find core dump is actually caused by a bug in
> fts.c that was posted in May to bugtraq.  My version of this patch
> in OpenBSD follows.  I'd be interested in knowing if the SEGV goes
> away with a find linked with a patched fts.c.

I'm going to try this, thanks !

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--