From nobody@FreeBSD.org  Sun Dec 11 09:08:22 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F3EE216A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Dec 2005 09:08:21 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F72E43D5A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Dec 2005 09:08:21 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jBB98L9O014741
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Dec 2005 09:08:21 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jBB98Lgr014740;
	Sun, 11 Dec 2005 09:08:21 GMT
	(envelope-from nobody)
Message-Id: <200512110908.jBB98Lgr014740@www.freebsd.org>
Date: Sun, 11 Dec 2005 09:08:21 GMT
From: Ph03n1X <king_purba@yahoo.co.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: lokal rooting
X-Send-Pr-Version: www-2.3

>Number:         90228
>Category:       bin
>Synopsis:       lokal rooting
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 11 09:10:03 GMT 2005
>Closed-Date:    Sun Dec 11 09:27:53 GMT 2005
>Last-Modified:  Sun Dec 11 09:30:03 GMT 2005
>Originator:     Ph03n1X
>Release:        6.0 releses
>Organization:
nightlogin gadjah mada university
>Environment:
FreeBSD student.te.ugm.ac.id 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386
             
>Description:
This is the vulneralability description :

$cat tes.c
main()
{
setuid(0);
setgid(0);
system("/bin/sh");
}
$su -
Password:
#gcc -o tes tes.c
#chmod +s tes
#exit
$id
uid=1228(shelda03) gid=1228(shelda03) groups=1228(shelda03)
$./tes
#id
uid=0(root) gid=0(wheel) groups=0(wheel), 1228(shelda03)
              
>How-To-Repeat:
I don't know              
>Fix:
I don't know              
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sun Dec 11 09:27:12 UTC 2005 
State-Changed-Why:  
Expected and well documented behaviour. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=90228 

From: Maxim Konovalov <maxim@macomnet.ru>
To: Ph03n1X <king_purba@yahoo.co.uk>
Cc: bug-followup@freebsd.org
Subject: Re: bin/90228: lokal rooting
Date: Sun, 11 Dec 2005 12:27:02 +0300 (MSK)

 On Sun, 11 Dec 2005, 09:08-0000, Ph03n1X wrote:
 
 >
 > >Number:         90228
 > >Category:       bin
 > >Synopsis:       lokal rooting
 > >Confidential:   no
 > >Severity:       critical
 > >Priority:       high
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sun Dec 11 09:10:03 GMT 2005
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Ph03n1X
 > >Release:        6.0 releses
 > >Organization:
 > nightlogin gadjah mada university
 > >Environment:
 > FreeBSD student.te.ugm.ac.id 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386
 >
 > >Description:
 > This is the vulneralability description :
 >
 > $cat tes.c
 > main()
 > {
 > setuid(0);
 > setgid(0);
 > system("/bin/sh");
 > }
 > $su -
 > Password:
 > #gcc -o tes tes.c
 > #chmod +s tes
 > #exit
 > $id
 > uid=1228(shelda03) gid=1228(shelda03) groups=1228(shelda03)
 > $./tes
 > #id
 > uid=0(root) gid=0(wheel) groups=0(wheel), 1228(shelda03)
 >
 > >How-To-Repeat:
 > I don't know
 > >Fix:
 > I don't know
 
 chmod -s tes
 
 -- 
 Maxim Konovalov
>Unformatted:
