Date: Fri, 15 Jun 2001 11:42:41 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise Message-ID: <5.1.0.14.0.20010615114159.03626180@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Hi,
Does anyone know either way if FreeBSD is or is not vulnerable ?
---Mike
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Thu, 14 Jun 2001 23:38:03 -0700
>From: Jason R Thorpe <thorpej@zembu.com>
>To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
>Cc: Georgi Guninski <guninski@guninski.com>,
> Bugtraq <BUGTRAQ@securityfocus.com>
>Subject: Re: OpenBSD 2.9,2.8 local root compromise
>Reply-To: thorpej@zembu.com
>Mail-Followup-To: Jason R Thorpe <thorpej@zembu.com>,
> Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
> Georgi Guninski <guninski@guninski.com>,
> Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
>User-Agent: Mutt/1.2.5i
>Organization: Zembu Labs, Inc.
>X-Virus-Scanned: by AMaViS perl-10
>
>On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:
>
> > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
> > > OpenBSD 2.9,2.8
> > > Have not tested on other OSes but they may be vulnerable
> >
> > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
> > privileges before allowing detach.
>
>Uh, the fundamental problem is that there's a chance to PT_ATTACH to
>such a process before the P_SUGID bit is set in the proc. This can
>happen when, e.g. the ucred structure is copied (there is a potentially
>blocking malloc() call in that path).
>
>A cursory glance shows several places where the FreeBSD kernel has
>code like:
>
> /* sanity check */
> /* blocking call */
> /* change user/group ID */
> /* set P_SUGID */
>
>During the /* blocking call */, another process can sneak in and PT_ATTACH
>the process that is about to become sugid.
>
>--
> -- Jason R. Thorpe <thorpej@zembu.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010615114159.03626180>