OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: procfs vulnerability (Re: Details of www.freebsd.org penetration)
From: Kris Kennaway (krisfreebsd.org)
Date: Thu Dec 14 2000 - 10:28:14 CST

On Fri, Dec 15, 2000 at 07:53:32AM -0000, John Howie wrote:
> Kris,
>
> Any chance you could let us know exactly what 'local root vulnerability' was
> exploited. As I recall it was originally stated that no weakness in FreeBSD
> itself had been leveraged. I appreciate that the hacker gained access to the

No, I said that it was not a vulnerability in FreeBSD which allowed
the initial penetration. The attackers wouldn't have been able to get
in if this was any old FreeBSD system that wasn't running dodgy CGI
scripts.

> system via CGI (and not a FreeBSD weakness) but once in he/she became root
> through some other means. Was this vulnerability a configuration issue or
> simply a known problem that had not been addressed?

The latter :-( In fact it was a problem which was brought to our
attention a few days prior by the same guys who did the penetration -
unfortunately it's taken us rather longer than I would have liked to
get it fixed and an advisory released, a combination of the people
involved being busy travelling, or just busy. However we've finally
got it all together, it seems, and so an advisory should be out on
Monday.

If I'd known how long it would take to get the problem fixed I would
have released details informally before now - I can only apologise for
the delay, although to my knowledge this vulnerability is not yet
widely known - basically there are several local root exploits in
procfs: wait for the advisory for more details, unmount procfs now on
your multi-user systems.

Kris

  • application/pgp-signature attachment: stored

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message