From owner-freebsd-security  Fri Jun 15  8:48:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9])
	by hub.freebsd.org (Postfix) with ESMTP id 709AA37B406
	for <security@freebsd.org>; Fri, 15 Jun 2001 08:48:20 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47])
	by smtp2.sentex.ca (8.11.1/8.11.1) with ESMTP id f5FFmFN12357
	for <security@freebsd.org>; Fri, 15 Jun 2001 11:48:16 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.0.14.0.20010615114159.03626180@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 15 Jun 2001 11:42:41 -0400
To: security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Hi,
Does anyone know either way if FreeBSD is or is not vulnerable ?

         ---Mike



>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Thu, 14 Jun 2001 23:38:03 -0700
>From: Jason R Thorpe <thorpej@zembu.com>
>To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
>Cc: Georgi Guninski <guninski@guninski.com>,
>    Bugtraq <BUGTRAQ@securityfocus.com>
>Subject: Re: OpenBSD 2.9,2.8 local root compromise
>Reply-To: thorpej@zembu.com
>Mail-Followup-To: Jason R Thorpe <thorpej@zembu.com>,
>         Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
>         Georgi Guninski <guninski@guninski.com>,
>         Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
>User-Agent: Mutt/1.2.5i
>Organization: Zembu Labs, Inc.
>X-Virus-Scanned: by AMaViS perl-10
>
>On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:
>
>  > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
>  > > OpenBSD 2.9,2.8
>  > > Have not tested on other OSes but they may be vulnerable
>  >
>  > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
>  > privileges before allowing detach.
>
>Uh, the fundamental problem is that there's a chance to PT_ATTACH to
>such a process before the P_SUGID bit is set in the proc.  This can
>happen when, e.g. the ucred structure is copied (there is a potentially
>blocking malloc() call in that path).
>
>A cursory glance shows several places where the FreeBSD kernel has
>code like:
>
>         /* sanity check */
>         /* blocking call */
>         /* change user/group ID */
>         /* set P_SUGID */
>
>During the /* blocking call */, another process can sneak in and PT_ATTACH
>the process that is about to become sugid.
>
>--
>         -- Jason R. Thorpe <thorpej@zembu.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message