From owner-freebsd-security Sun Aug 3 08:21:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA28351 for security-outgoing; Sun, 3 Aug 1997 08:21:14 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA28345 for ; Sun, 3 Aug 1997 08:21:11 -0700 (PDT) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.5/8.8.2) with ESMTP id KAA15784; Sun, 3 Aug 1997 10:21:10 -0500 (CDT) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id KAA26646; Sun, 3 Aug 1997 10:21:09 -0500 (CDT) Message-ID: <19970803102109.40387@Jupiter.Mcs.Net> Date: Sun, 3 Aug 1997 10:21:09 -0500 From: Karl Denninger To: Marc Slemko Cc: freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability in 4.4BSD rfork() implementation References: <199708030102.UAA20008@enteract.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.64 In-Reply-To: ; from Marc Slemko on Sat, Aug 02, 1997 at 09:53:52PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The patch does not build on -CURRENT; the make process returns a complaint for the DISPATCH macro. The kernel patch *is* effective. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, http://www.mcs.net/ Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal On Sat, Aug 02, 1997 at 09:53:52PM -0600, Marc Slemko wrote: > On Sat, 2 Aug 1997, Thomas H. Ptacek wrote: > > > ---------------------------------------------------------------------------- > > > > OpenBSD Security Advisory > > > > August 2, 1997 > > > > Vulnerability in rfork() System Call > > > > ---------------------------------------------------------------------------- > > > > SYNOPSIS > > > > A vulnerability in certain 4.4BSD kernels allows processes to gain > > access to restricted resources by manipulating the file descriptor > > tables of SUID and SGID executables. Applications of this vulnerability > > will allow users to gain root access. > > > > ---------------------------------------------------------------------------- > > > > AFFECTED SYSTEMS > > > > It is believed that all 4.4BSD operating systems implementing the > > rfork() system call are currently vulnerable to this problem. These > > operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD > > project has resolved this problem in OpenBSD-current. > > Since this wasn't entirely clear on some of the FreeBSD aspects, a few > comments... > > First, this is a real hole. Earlier today it took me only a few minutes > to make a program to add another uid 0 to your passwd file to give you > root access. With the skeleton code posted in this advisory, it is even > easier. > > Secondly, FreeBSD 2.2 (probably any version of 2.2-current starting > around 1996/02/23) and 3.0 are both vulnerable. 2.1 and earlier are not. > > Third, I would recommend the use of the loadable module included in the > advisory to close the hole temporarily until there is a FreeBSD advisory > or patch. While the supplied patch for kern_exec looks fine, using the > module is easier and saves you having to do things twice when an official > patch comes out. Few things (very few...) use rfork() so it shouldn't > hurt much. > > To use the loadable module, unarchive the shell archive included in the > origial post, type "make", then do something like: > > modload -e disable_rfork disable_rfork.o > > as root. You should get a kernel message that the rfork() call is > disabled. You should probably make it load at boot to prevent someone > from deliberately crashing the system to remove the protection. >