----- Forwarded message # 1: Message-Id: <199505210134.CAA03410@bagpuss.demon.co.uk> Subject: Re: BSDi bugs To: Scott Chasin <chasin@crimelab.com> Date: Sun, 21 May 1995 02:34:40 +0100 (BST) Cc: bugtraq@fc.net In-Reply-To: <199505200345.VAA03939@crimelab.com> from "Scott Chasin" at May 19, 95 09:45:55 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 428 Sender: owner-bugtraq@fc.net Precedence: queue > Hey karl, > > do you know any bsdi bugs off hand? Or something to too many! > exploit IDA ... aye > > Let me know m8 > > --s > > -- ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk | ----- End of forwarded messages -------------------------------------------------------------------- Well, here's some info I found just briefly poking around: (please note this is for 1.1, I haven't checked 2.0 or 0.9 yet) The lpr bug is there (though BSDI has a patch on their ftp server). There is a denial of service [kernel] hole that BSDI plugged with a patch. I haven't looked into it but you should be able to figure it out by looking at their patch. I believe it's available on their ftp server as well [ftp.bsdi.com]. I've found that pipeing garbage to 'elvis' in /usr/contrib/bin can cause it to chew up tremendous amounts of cpu (which can lead to denial of service). I'll forward more complete results when I finish going through all of the contrib programs to make sure they behave. Also, the recover program for elvis runs suid root. Since what it does is take a temp file and write it out to another file I think you can see the possibilities here (haven't looked into that one either). elm is there along with autoreply in /usr/contrib but doesn't default to being used of course. There also seems to be a bug in the return values for ifconfig although it looks like everything is actually ok. It's just in one of the print statements. Again, I'll have to look through some old notes to figure out what values I plugged in to make this happen. Though I did mention it to BSDI support and never heard back. [I just looked through my notes and couldn't find it.] I believe that setting the netmask and then reading it (via ifconfig) you would get the incorrect values returned to you for certain inputs. I thought there was a 192 in there (C0), ie 255.255.192.0 comming back as ffff00c0 or something but I'm unable to check if that was actually it at this time. I'd be interested in what anybody else has found with BSDI. PeiterZ.