Seyon, shipped with FreeBSD 3.3-RELEASE has several vulnerabilities. The problem is that seyon is still installed setgid dialer in FreeBSD, allowing a local user can grant himself priviliges which allow access to anything that requires group dialer, including modem devices.
a9642539381b9b2c0b68f11b82b75f51cf840c23814a843007b8cb83175e7c42
Vuln #1 The Seyon Mess
To summarize: Seyon was supposedly not meant to run with additional
privileges. There are numerous problems with seyon and I've probably not
found all of them. They are:
Buffer Overflows:
1. $HOME
2. seyon -emulator $BUF
3. seyon -modems $BUF
4. many long text box input string overflows while in program
Input Validation:
1. seyon will search $PATH for "xterm" and "seyon-emu" and exec with
fullprivs (as noted in previous advisory)
2. seyon -emulator /program/to/execute/with/full/privs
These privileges might be upgradable to root if you are able to a.
trojan a dialer-writable file or b. use a symlink attack to clobber .rhosts or
similar c. snoop device i/o.
One of the methods to exploit seyon is shown below:
bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c
bash-2.03$ gcc -o id id.c
bash-2.03$ seyon -emulator ./id
uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)