From owner-freebsd-security Fri Aug 27 15: 4:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 60FE11557D for ; Fri, 27 Aug 1999 15:04:42 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.3/RDY&DVV) id PAA09830; Fri, 27 Aug 1999 15:04:19 -0700 (PDT) Message-Id: <199908272204.PAA09830@burka.rdy.com> Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] In-Reply-To: <199908272152.PAA76258@harmony.village.org> from Warner Losh at "Aug 27, 1999 03:52:43 pm" To: imp@village.org (Warner Losh) Date: Fri, 27 Aug 1999 15:04:19 -0700 (PDT) Cc: ludwigp@bigfoot.com (Ludwig Pummer), freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh writes: > In message <37C6C42E.78E600F4@bigfoot.com> Ludwig Pummer writes: > : It was pointed out yesterday that 3 conditions need to be present for > : this to be exploitable, and 2.2.8 doesn't have at least one of the > : conditions (core dump won't follow symlinks in 2.2.8). > > Others have pointed out to me that 2.x will, indeed, follow symlinks. > I don't have a system handy that I can test on (all my 2.x systems > have core dumps turned off completely because they are on ultra-tiny > disks). That was exactly my problem (coredump are disabled). Sorry about that. RELENG_2_2 is indeed vulnerable, and the patch is ready. As soon as I get a review, I'll commit it. Patch is attached. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima *** sys/LINK/fcntl.h Wed Dec 18 05:08:08 1996 --- sys/fcntl.h Fri Aug 27 14:39:26 1999 *************** *** 84,89 **** --- 84,90 ---- #define O_EXLOCK 0x0020 /* open with exclusive file lock */ #define O_ASYNC 0x0040 /* signal pgrp when data ready */ #define O_FSYNC 0x0080 /* synchronous writes */ + #define O_NOFOLLOW 0x0100 /* don't follow symlinks */ #endif #define O_CREAT 0x0200 /* create if nonexistent */ #define O_TRUNC 0x0400 /* truncate to zero length */ *** kern/LINK/kern_sig.c Sat Dec 21 10:57:24 1996 --- kern/kern_sig.c Fri Aug 27 14:38:25 1999 *************** *** 1241,1249 **** p->p_rlimit[RLIMIT_CORE].rlim_cur) return (EFAULT); sprintf(name, "%s.core", p->p_comm); ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); if ((error = vn_open(&nd, ! O_CREAT | FWRITE, S_IRUSR | S_IWUSR))) return (error); vp = nd.ni_vp; --- 1241,1249 ---- p->p_rlimit[RLIMIT_CORE].rlim_cur) return (EFAULT); sprintf(name, "%s.core", p->p_comm); ! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); if ((error = vn_open(&nd, ! O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR))) return (error); vp = nd.ni_vp; *** kern/LINK/vfs_vnops.c Sat Mar 8 07:16:18 1997 --- kern/vfs_vnops.c Fri Aug 27 14:37:01 1999 *************** *** 87,93 **** if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; ! if ((fmode & O_EXCL) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; error = namei(ndp); if (error) --- 87,93 ---- if (fmode & O_CREAT) { ndp->ni_cnd.cn_nameiop = CREATE; ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF; ! if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0) ndp->ni_cnd.cn_flags |= FOLLOW; error = namei(ndp); if (error) *************** *** 119,125 **** } } else { ndp->ni_cnd.cn_nameiop = LOOKUP; ! ndp->ni_cnd.cn_flags = FOLLOW | LOCKLEAF; error = namei(ndp); if (error) return (error); --- 119,126 ---- } } else { ndp->ni_cnd.cn_nameiop = LOOKUP; ! ndp->ni_cnd.cn_flags = ! ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF; error = namei(ndp); if (error) return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message