Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
To: Todd C. Miller <Todd.Miller@courtesan.com>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 08/27/1999 16:38:03
by redmail.netbsd.org with SMTP; 27 Aug 1999 14:38:05 -0000
by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id QAA06007;
Fri, 27 Aug 1999 16:38:03 +0200 (MEST)
Date: Fri, 27 Aug 1999 16:38:03 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: "Todd C. Miller" <Todd.Miller@courtesan.com>
Cc: tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
Message-ID: <19990827163803.A483@antioche.lip6.fr>
References: <19990827115805.A4542@antioche.lip6.fr> <19990827123116.A345@antioche.lip6.fr> <199908271422.IAA05497@xerxes.cs.colorado.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199908271422.IAA05497@xerxes.cs.colorado.edu>; from Todd C. Miller on Fri, Aug 27, 1999 at 08:22:07AM -0600
On Fri, Aug 27, 1999 at 08:22:07AM -0600, Todd C. Miller wrote:
> But isn't the real issue simply that core dumps are following a
> symlink? I tried this on OpenBSD-current and didn't have any luck
> getting the exploit to work (maybe I didn't try hard enough).
Yes it is. I suspect this has been disabled in OpenBSD. Maybe older versions
of OpenBSD are vulnerable ?
I've a patch which prevent symlinks from being followed if the owner of
the symlink (or existing file) is not the same as the process.
>
> I suspect that the find core dump is actually caused by a bug in
> fts.c that was posted in May to bugtraq. My version of this patch
> in OpenBSD follows. I'd be interested in knowing if the SEGV goes
> away with a find linked with a patched fts.c.
I'm going to try this, thanks !
--
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr
--