Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Feb 1997 19:50:52 -0800
From:      Cy Schubert <cy@cwsys.cwent.com>
To:        tqbf@enteract.com
Cc:        freebsd-security@freebsd.org
Subject:   Re: Security problem in FreeBSD /sbin/init 
Message-ID:  <199702190351.TAA01277@cwsys.cwent.com>
In-Reply-To: Your message of "Tue, 18 Feb 1997 19:34:11 CST." <199702190134.TAA12057@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> 
> This problem will probably be picked up by the sweeping audit of your code
> base, but I figured I'd alert you to it anyways.
> 
> FreeBSD, in revisions up to and including -current, has a stack overrun in
> /sbin/init. The affected routines are "start_getty()" and
> "start_window_system()", both of which can be tricked into reading an
> overly large "type" entry from the /etc/ttys file (which is copied into an
> array on the stack used to hold the "TERM" environment variable for a
> subsequent execve() call).
> 
> This overflow is only exploitable if you control /etc/ttys. On almost all
> systems, this means it's only an issue if you're root.
> 
> Unfortunately, this is a serious issue in init's case. Unbeknownst to
> many, init (or, more specifically, PID 1) can change the securelevel
> arbitrarily in 4.4BSD systems. The purpose of securelevels is to "secure
> the system from root", disabling the modification of crucial system
> binaries. The "immutable" flag depends on this concept. This overflow
> provides intruders with a means to evade the immutable (or append-only, or
> any other securelevel-dependant concept) mechanism.
> 
> Given my relative unfamiliarity with the FreeBSD CVS "protocol", such as
> it is, I'll leave it for another developer to fix this. The problem is an
> unchecked string copy in both routines, and can easily be resolved by
> sticking an "n" in the strcpy() function call.
> 
> Good luck with the audit.

I don't think this is a security problem since /sbin/init has permissions
of 500 and /etc/ttys has permissions of 644.


Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

                "Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190351.TAA01277>