From owner-FreeBSD-users-jp@jp.freebsd.org  Sun May 31 04:03:23 1998
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) id EAA02766;
	Sun, 31 May 1998 04:03:23 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mx2.nisiq.net (po.mx2.nisiq.net [163.139.201.18])
	by jaz.jp.freebsd.org (8.8.8+3.0Wbeta13/8.7.3) with ESMTP id EAA02760
	for <FreeBSD-users-jp@jp.freebsd.org>; Sun, 31 May 1998 04:03:18 +0900 (JST)
	(envelope-from neko@expm.t.u-tokyo.ac.jp)
Received: from kage.nekoslib.org. (d02.kwa-usr1.nisiq.net [163.139.108.2])
	by mx2.nisiq.net (8.8.8/3.6W 03/17/98) with ESMTP id EAA15595
	for <FreeBSD-users-jp@jp.freebsd.org>; Sun, 31 May 1998 04:02:50 +0900 (JST)
Message-Id: <199805301902.EAA15595@mx2.nisiq.net>
Date: Sun, 31 May 1998 04:00:40 +0900 (JST)
Posted-Date: Sun, 31 May 1998 04:00:40 +0900 (JST)
To: FreeBSD-users-jp@jp.freebsd.org
In-Reply-To: Your message of "Wed, 27 May 1998 10:56:40 +0900".
	<199805270156.KAA29731@zeke.cic-kk.co.jp>
From: neko@expm.t.u-tokyo.ac.jp (Akihito KaNEKO)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
X-Mailer: mnews [version 1.20] 1996-12/08(Sun)
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: bulk
X-Distribute: distribute [version 2.1 (Alpha) patchlevel=24]
X-Sequence: FreeBSD-users-jp 28900
Subject: [FreeBSD-users-jp 28900] Re: daemon =?ISO-2022-JP?B?GyRCJVclbSU7JTkkSxsoQg==?=  core 
	=?ISO-2022-JP?B?GyRCJHJFRyQrJDskayRLJE8hKRsoQg==?=
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org

$B6b;R$H?=$7$^$9!#(B

<199805270156.KAA29731@zeke.cic-kk.co.jp>$B$N5-;v$K$*$$$F(B
JST$B;~4V(B1998$BG/(B05$B7n(B27$BF|(B($B?e(B)01$B;~(B56$BJ,(B40$BIC:"!"(Bkgotoh@cic-kk.co.jp$B$5$s$O(B
$B=q$-$^$7$?!#(B

 > FreeBSD 2.2.6 $B$K$F!"(BApache 1.2.6 + PHP/FI 2.0.1 $B$NAH9g$;$G(B
 > $B;HMQ$7$F$$$k$N$G$9$,!"$*$=$i$/$O(B PHP/FI $B$NLdBj$+%9%/%j%W%HB&$N(B
 > $BLdBj$G(B httpd $B$,(B SIGSEGV $B$GMn$A$F$7$^$$$^$9!#(B
 > 
 > $B$=$N;v<+?H$OD4$Y$l$P$$$$$s$G$9$,!"(Bhttpd $B$,(B core $B$rEG$+$:$K(B
 > $B;`$s$G$7$^$&$?$a$KOC$7$,A0$K?J$_$^$;$s!#(B

# Apache $B$NF0:n$r$h$/M}2r$7$F$J$$$N$G$9$,(B....

mit-sato@scc-kk.co.jp $B$5$s$,;XE&$5$l$F$$$?$h$&$K(B
setuid $B$5$l$F$$$k$H(B core $B$rEG$+$J$$$h$&$G$9$,(B

su -m nobody -c httpd

$B$H$+$d$k$N$O$I$&$G$7$g$&$+!)(B

$B2<$N$h$&$J%W%m%0%i%`$r(B /var/tmp $B>e$G<B9T$9$k$H(B

# ./a.out
Segmentation fault
# su -m nobody -c ./a.out 
Segmentation fault (core dumped)

$B$H$J$j$^$7$?!#(B

$B5/F0$7$F$+$i(B root $B$N8"8B$G%"%/%;%9$9$kI,MW$N$"$k(B
$B%3!<%I$,(B Apache $B$KL5$1$l$P$&$^$/9T$/$H;W$&$N$G$9$,!#(B

$B(,(,(,(,(,$3$3$+$i(,(,(,(,(,(B
#include <sys/types.h>
#include <unistd.h>

main()
{
  char *null=NULL;
  char c;

  setuid(65534);

  c = *null;
}
$B(,(,(,(,(,$3$3$^$G(,(,(,(,(,(B
---
  Akihito KaNEKO / neko@expm.t.u-tokyo.ac.jp
