Date: Tue, 10 Jul 2001 09:40:18 -0700 From: Jason DiCioccio <jdicioccio@epylon.com> To: 'Mike Tancsa' <mike@sentex.net>, security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFEFA3@goofy.epylon.lan>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, I just exploited it with the exploit posted to bugtraq, it is trivial.. the only way I have found to temporarily stop stupid script kiddies while I upgrade is: touch /tmp/sh chmod 0 /tmp/sh I'd upgrade real soon.. Cheers, - -JD- - -----Original Message----- From: Mike Tancsa [mailto:mike@sentex.net] Sent: Tuesday, July 10, 2001 9:25 AM To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Does anyone know if there are active exploits out there for this issue ? Is it trivial / script kiddie friendly hole ? Just trying to get a sense of how urgent it is to upgrade. ---Mike At 07:02 AM 7/10/01 -0700, FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >===================================================================== >======== FreeBSD-SA-01:42 >Security Advisory > > FreeBSD, Inc. > >Topic: signal handling during exec may allow local root > compromise > >Category: core >Module: kernel >Announced: 2001-07-10 >Credits: Georgi Guninski <guninski@guninski.com> >Affects: All released versions of FreeBSD 4.x, > FreeBSD 4.3-STABLE prior to the correction date. >Corrected: 2001-07-09 >FreeBSD only: Yes > >I. Background > >When a process forks, it inherits the parent's signals. When the >process execs, the kernel clears the signal handlers because they >are not valid in the new address space. > >II. Problem Description > >A flaw exists in FreeBSD signal handler clearing that would allow >for some signal handlers to remain in effect after the exec. Most >of the signals were cleared, but some signal hanlders were not. >This allowed an attacker to execute arbitrary code in the context of >a setuid >binary. > >All versions of 4.x prior to the correction date including and >4.3-RELEASE are vulnerable to this problem. The problem has been >corrected by copying the inherited signal handlers and resetting the >signals instead of sharing the signal handlers. > >III. Impact > >Local users may be able to gain increased privileges on the local >system. > >IV. Workaround > >Do not allow untrusted users to gain access to the local system. > >V. Solution > >One of the following: > >1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the >correction date. > >2) To patch your present system: download the relevant patch from >the below location, and execute the following commands as root: > >[FreeBSD 4.1, 4.2, and 4.3 base systems] > >This patch has been verified to apply to FreeBSD 4.1, 4.2, and 4.3 >only. It may or may not apply to older releases. > ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.pa >tch # fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.pa >tch.asc > >Verify the detached PGP signature using your PGP utility. > ># cd /usr/src/sys/kern ># patch -p < /path/to/patch > >[ Recompile your kernel as described in >http://www.freebsd.org/handbook/kernelconfig.html and reboot the >system ] > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (FreeBSD) >Comment: FreeBSD: The Power To Serve > >iQCVAwUBO0sBrlUuHi5z0oilAQF4nAP/Wi8RsYGjJQ7NgP/+FwMs8/lekAJ9iEan >3Ph7xpsFEhJFWhCfrhmM71fMnOwpZ5kijztSOEko7TMRzTtG+dZLKcCKmVg+a1dT >SJmm2SJp3NE1nlYVqSH1vfVeVcJI5rtAQ33gTPhiL5U26AMr4wep/Elv1p/Shb/D >CUpueXr6tEE= >=n74Z >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO0swv1CmU62pemyaEQIRMwCgrtEr+ECiBqG3U2LVyiXr/4qG6d8AniiH Hg2QUoJx7soua+XBKajtExuV =Zw3k -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA02FFEFA3>