大西瓜的杂货铺

From: http://seclists.org/fulldisclosure/2009/Nov/371

** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 “BiG TiME”

“Go fetch your FreeBSD r00tkitz” // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like “ping” or “su”.
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

阅读全文

目前针对Windows+MSSQL或Windows+MYSQL的系统，在入侵方面的文章可算不少，大多通过脚本漏洞上传WebShell，通过Serv-U提升权限，再通过PcAnyWhere或终端连接器远程连接。就系统而言，大陆用Windows的比较多，港台和国外很多服务器都是用的Unix、Linux或FreeBSD系统。本文就是针对的FreeBSD+MYSQL+PHP系统，结合一个具体实例，讲解了一下入侵思路。其实作者的运气不错，遇到了一个大意的管理员——有多少服务器管理员是这样大意的呢？

MYSQL：入侵FreeBSD的桥梁

阅读全文