Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: BSD chfn bug

Re: BSD chfn bug

From: Tellier, Brock <btellier_at_USA.NET>
Date: Thu, 23 Dec 1999 18:05:05 -0000

In message <<A HREF="mailto:19991220153724.A24141_at_hq.alert.sk">19991220153724.A24141_at_hq.alert.sk</A>> Pavol Luptak writes:
: My friend a long time ago found a hole in BSD chfn/chsh/chpass vulnerable i=
: n all versions FreeBSD 2.x - 4.0. I don't find any possibility how this exp=
: loit. I think, readers of this mailing list will appreciate this.

>Lukasz Luzar found this months ago. I've been testing his >fixes on my
>machine for some time (mostly becuase I got busy and didn't >commit
>them). I'm going to fix that now.

>At best you can get a file in /etc/ that is owned by >yourself.

I can think of a half-dozen ways where this could lead to a root compromise. Many daemons/suid's look to /etc for optional config files. Some of these may have paths for temp files or other potentially damaging information. Most of these programs probably don't check who owns the file before opening it.

Unless you're saying that you can only get a tmp file with a particular name in /etc.

-Brock
Received on Dec 23 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos