SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Kernel (please use specific OS kernel) Vendors:   [Multiple Authors/Vendors]
(OpenBSD Issues Fix) Re: BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System
SecurityTracker Alert ID:  1004263
SecurityTracker URL:  http://securitytracker.com/id/1004263
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   It is reported that there is a flaw in the FreeBSD kernel that allows a local user to obtain root privileges. Other BSD-based systems may also be affected.

It is reported that a kernel flaw in the allocating of file descriptors may allow a local user to obtain elevated privileges by exploiting a set user id (suid) or set group id (sgid) application.

A local user can run a program that calls a set user id (suid) application, causing file descriptors to be duplicated using the dup() function, and then closes one or more of the stdio descriptors to set up the exploit. Then, the local user can reportedly call a suid root application that opens a root-owned file (e.g., the passwd file). The local user can apparently invoke an error, causing the suid program to write user-supplied data to stderr. This may cause the arbitrary user-supplied text to be written to the root-owned file.

It is reported that this vulnerability has been confirmed with an exploit that uses the S/KEY binaries to allow a local user to obtain root privileges on the system.

Impact:   A local user can cause a root owned file to be overwritten with user-specified text, giving the local user root privileges on the system.
Solution:   The vendor has issued a source code patch.

For OpenBSD 2.9:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch


For OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch


For OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch

Cause:   State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  2.9, 3.0, 3.1

Message History:   This archive entry is a follow-up to the message listed below.
Apr 22 2002 BSD UNIX Kernel File Descriptor Processing Flaw May Let Local Users Write to Root Owned Files to Gain Root Privileges on the System



 Source Message Contents

Subject:  OpenBSD fix


021: SECURITY FIX: May 8, 2002

     A race condition exists where an attacker could fill the file
descriptor table and defeat the kernel's protection of fd slots 0, 1,
and 2 for a setuid or setgid process. A source code patch exists which
remedies the problem. 

For OpenBSD 2.9:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch


For OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch


For OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC