The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


cfs-1.4.0beta2 root exploitable bug


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Mon, 23 Feb 1998 10:22:11 +0500 (ESK)
Date: Sat, 21 Feb 1998 18:18:44 +0100
From: ther <[email protected]>
To: [email protected]
Subject: Re: cfs-1.4.0beta2 root exploitable bug

On Sat, 21 Feb 1998, ther wrote:

> process.. for example mmaping /proc/<cfsdpid>/mem to memory and change the
> code. cfsd seteuid's itself to root again after the file access and
after a setreuid call the process is marked as undumpable under linux - so
the programm code can't be modified, as i said (cause undumpable
processes are not inserted in the proc tree) but it still could be killed
with a signal..

btw: the patch i posted works (it can't be killed by a user anymore), but
i forgot the #else statment.

--- cfs.h~      Sat Feb 21 18:14:03 1998
+++ cfs.h       Sat Feb 21 17:53:08 1998
@@ -200,8 +200,13 @@
 #define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE |
ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)) :\
            (setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) ||
setuidx(ID_EFFECTIVE|ID_REAL, ruid(x))))
 #else
+#ifdef linux
+#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
+                  (setfsgid(rgid(x)) || setfsuid(ruid(x))))
+#else
 #define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
                   (setegid(rgid(x)) || seteuid(ruid(x))))
+#endif
 #endif
 #define keyof(f) (&((f)->ins->key))
 #define vectof(f) ((f)->vect)

this patch is against
ftp://ftp.funet.fi/pub/crypt/utilities/file/cfs.1.4.0.beta2.tar.gz

bye,
        therapy

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру