SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Kernel (please use specific OS kernel) Vendors:   [Multiple Authors/Vendors]
BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
SecurityTracker Alert ID:  1004124
SecurityTracker URL:  http://securitytracker.com/id/1004124
CVE Reference:   CVE-2002-0572   (Links to External Site)
Updated:  Apr 23 2002
Original Entry Date:  Apr 22 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   It is reported that there is a flaw in the FreeBSD kernel that allows a local user to obtain root privileges. Other BSD-based systems may also be affected.

It is reported that a kernel flaw in the allocating of file descriptors may allow a local user to obtain elevated privileges by exploiting a set user id (suid) or set group id (sgid) application.

A local user can run a program that calls a set user id (suid) application, causing file descriptors to be duplicated using the dup() function, and then closes one or more of the stdio descriptors to set up the exploit. Then, the local user can reportedly call a suid root application that opens a root-owned file (e.g., the passwd file). The local user can apparently invoke an error, causing the suid program to write user-supplied data to stderr. This may cause the arbitrary user-supplied text to be written to the root-owned file.

It is reported that this vulnerability has been confirmed with an exploit that uses the S/KEY binaries to allow a local user to obtain root privileges on the system.

Impact:   A local user can cause a root owned file to be overwritten with user-specified text, giving the local user root privileges on the system.
Solution:   It is reported that the FreeBSD source trees in CVS have been updated as of April 21, 2002.

The vulnerability status of other BSD-based systems is not known at the time of this entry.

Cause:   State error
Underlying OS:  UNIX (FreeBSD), UNIX (NetBSD), UNIX (OpenBSD), UNIX (macOS/OS X)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(FreeBSD Issues Fix) BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
The vendor has released a fix.
(Solaris May Be Vulnerable) Re: BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
A user reports that Solaris 2.5.x is vulnerable.
(OpenBSD Issues Fix) Re: BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
The vendor has issued a patch.
(FreeBSD Issues Revised Fix) BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
The vendor has released a revised fix that corrects an error in the earlier patches.
(A Variant of the Original Flaw is Reported) Re: BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
A similar vulnerability is reported. The original patch does not address this one.
(FreeBSD Is Still Vulnerable) Re: BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
It is reported that the FreeBSD fix did not fully patch the flaw.
(HP Issues Fix for Tru64) UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
HP has released ERPs for Tru64 UNIX, which is affected by this flaw.



 Source Message Contents

Subject:  [VulnWatch] Pine Internet Advisory: Setuid application execution may give local root in FreeBSD


-----BEGIN PGP SIGNED MESSAGE-----

 -----------------------------------------------------------------------------
 Pine Internet Security Advisory
 -----------------------------------------------------------------------------
 Advisory ID       : PINE-CERT-20020401
 Authors           : Joost Pol <joost@pine.nl>
 Issue date        : 2002-04-22 
 Application       : Multiple
 Version(s)        : Multiple 
 Platforms         : FreeBSD confirmed, maybe others.
 Vendor informed   : 20020406 
 Availability      : http://www.pine.nl/advisories/pine-cert-20020401.txt
 -----------------------------------------------------------------------------

Synopsis

	It is possible for a local user to execute a suid application with 
	stdin, stdout or stderr closed.

Impact

	HIGH. Local users should be able to gain root privileges. 

Description

	Consider the following (imaginary) suid application:

	-- begin of imaginary code snippet

		FILE * f = fopen("/etc/root_owned_file", "r+");

		if(f) {
		
			fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);

			fclose(f);
		}

	-- end of imaginary code snippet
		
	Now, consider the following (imaginary) exploit:

	-- begin of imaginary exploit snippet

		while(dup(1) != -1); 

		close(2);

		execl("/path/to/suid_application",
		      "this text will endup in the root_owned_file", 0);

	-- end of imaginary exploit snippet

	Exploitation has been confirmed using the S/KEY binaries. 

Solution

	FreeBSD source trees have been updated on the 21th of april 2002. 
	Please cvsup.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
=AMED
-----END PGP SIGNATURE-----

-- 
 patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
 Excuse of the day: it has Intel Inside


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC