SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   AIO Vendors:   FreeBSD
FreeBSD AIO Input/Output Routines May Allow Local Users to Execute Arbitrary Code With Elevated Privileges
SecurityTracker Alert ID:  1002931
SecurityTracker URL:  http://securitytracker.com/id/1002931
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 10 2001
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Exploit Included:  Yes  
Version(s): FreeBSD 4-STABLE upto at least 28/10/01
Description:   A vulnerability was reported in FreeBSD's AIO implementation for performing POSIX-compliant asynchronous input and output. Under certain conditions, a local user may execute arbitrary code with elevated privileges.

It is reported that, under certain conditions, scheduled AIO operations may persist after an execve() call, allowing memory of the new process to be arbitrarily overwritten. If the subsequent process has set user id (suid) permissions, the local user could obtain elevated privileges. Only certain types of file descriptors can be exploited in this manner.

It is reported that VFS_AIO is not currently enabled in the default FreeBSD kernel configuration and that comments in ``LINT'' suggest that security issues have been known for some time.

Demonstration exploit code is apparently available at: http://elysium.soniq.net/dr/tao/tao.c

Impact:   A local user may be able to execute arbitrary code with elevated privileges, giving that user elevated privileges on the system.
Solution:   No solution was available at the time of this entry. The author of the report has made an unofficial patch available to limit the use of AIO syscalls to root:

http://elysium.soniq.net/dr/tao/patch-01

Vendor URL:  www.freebsd.org/ (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (FreeBSD)

Message History:   None.


 Source Message Contents

Subject:  AIO vulnerability


--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="advisory.txt"

------------------------------------------------------------------------------
Soniq Security Advisory
David Rufino <dr@soniq.net> Dec 9, 2001 

Race Condition in FreeBSD AIO implementation
http://elysium.soniq.net/dr/tao/tao.html
------------------------------------------------------------------------------

RISK FACTOR: LOW

SYNOPSIS

AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
scheduled AIO operations persist after an execve, allowing arbitrary
overwrites in the memory of the new process. Combined with the permission 
to execute suid binaries, this can yield elevated priviledges. 
Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
however comments in ``LINT'' suggest security issues have been known about
privately for some time:

# Use real implementations of the aio_* system calls.  There are numerous
# stability issues in the current aio code that make it unsuitable for
# inclusion on shell boxes.

The type of file descriptor used for the AIO operation is important. For
instance operations on pipes will not complete fully after an execve,
whereas operations on sockets will. It is not known whether AIO operations
on hard disk files persist in the desired manner.
 
VULNERABLE SYSTEMS

FreeBSD 4-STABLE upto at least 28/10/01 

RESOLUTION

Currently there are no known patches to remove all security issues. However
a patch is available to limit the use of AIO syscalls to root at
http://elysium.soniq.net/dr/tao/patch-01

EXPLOIT
 
Given that FreeBSD AIO is not in active use at the moment, I have made
available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c

CREDITS

Discovery and exploitation was conducted by David Rufino.

CONTACT INFORMATION

dr+securityfocussucks@soniq.net
http://elysium.soniq.net/dr/index.html

--wRRV7LY7NUeQGEoC--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC