On Sat, 3 Mar 2001, Chris Costello wrote:
> Date: Sat, 03 Mar 2001 12:24:19 -0600
> From: Chris Costello <[EMAIL PROTECTED]>
> To: Dan Phoenix <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: easy way to crash freebsd
>
> On Friday, March 02, 2001, Dan Phoenix wrote:
> > People asking me how this could be used as a local user.
> > Well i guess if you wanted to you could find something root runs
> > that writes to /tmp then umask resolv.conf
> > and echo "" > resolv.conf
>
> Could you expand on this, please? What does finding a root
> utility that writes to /tmp have to do with umasking a file?
> (I've found it rather difficult to umask files in the past.)
>
> --
> +-------------------+----------------------------+
> | Chris Costello | I just found the last bug. |
> | [EMAIL PROTECTED] | |
> +-------------------+----------------------------+
>
Well one one the concepts is to umask 4777
then write as many tmp files to the tmp dir as you can symlinking to say
/etc/master.passwd....which would really do nothing i would
imagine...symlinking to spwd.db would prob be better. Afterwards you have
write perms to the file with whatever root wrote to it. I beleive that is
the basic concept....many of these have been fixed. BTW in no way do I
promote this....just explaining the concept.
[root@elrond dphoenix]# ls /tmp
commitlog* elist.log fcsignup.log mysql.sock= screens/
[root@elrond dphoenix]#
for me shows this.....I guess in this case you could wait for root to
shutdown mysql and link that mysql.sock= to some database you want
overwritten. I am not sure if it works the same for socket files.
Best to ask one the unix gurus :)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
