Date: Fri, 15 Jun 2001 11:42:41 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise Message-ID: <5.1.0.14.0.20010615114159.03626180@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Hi, Does anyone know either way if FreeBSD is or is not vulnerable ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Thu, 14 Jun 2001 23:38:03 -0700 >From: Jason R Thorpe <thorpej@zembu.com> >To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> >Cc: Georgi Guninski <guninski@guninski.com>, > Bugtraq <BUGTRAQ@securityfocus.com> >Subject: Re: OpenBSD 2.9,2.8 local root compromise >Reply-To: thorpej@zembu.com >Mail-Followup-To: Jason R Thorpe <thorpej@zembu.com>, > Przemyslaw Frasunek <venglin@freebsd.lublin.pl>, > Georgi Guninski <guninski@guninski.com>, > Bugtraq <BUGTRAQ@SECURITYFOCUS.COM> >User-Agent: Mutt/1.2.5i >Organization: Zembu Labs, Inc. >X-Virus-Scanned: by AMaViS perl-10 > >On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote: > > > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > > OpenBSD 2.9,2.8 > > > Have not tested on other OSes but they may be vulnerable > > > > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id > > privileges before allowing detach. > >Uh, the fundamental problem is that there's a chance to PT_ATTACH to >such a process before the P_SUGID bit is set in the proc. This can >happen when, e.g. the ucred structure is copied (there is a potentially >blocking malloc() call in that path). > >A cursory glance shows several places where the FreeBSD kernel has >code like: > > /* sanity check */ > /* blocking call */ > /* change user/group ID */ > /* set P_SUGID */ > >During the /* blocking call */, another process can sneak in and PT_ATTACH >the process that is about to become sugid. > >-- > -- Jason R. Thorpe <thorpej@zembu.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010615114159.03626180>