Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 15 Jun 2001 19:13:43 +0200
From:      Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
To:        freebsd-security@freebsd.org
Subject:   Fwd: Re: OpenBSD 2.9,2.8 local root compromise
Message-ID:  <20010615191343.B545@petra.hos.u-szeged.hu>
next in thread | raw e-mail | index | archive | help 

Hello,

I do not think this should go without some investigation. The fact that the
exploit code does not work as posted proves nothing.

I am confident however that the Security Officer Team is already doing its
job.
----- Forwarded message from Jason R Thorpe <thorpej@zembu.com> -----

Date: Thu, 14 Jun 2001 23:38:03 -0700
From: Jason R Thorpe <thorpej@zembu.com>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: Georgi Guninski <guninski@guninski.com>,
	Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Subject: Re: OpenBSD 2.9,2.8 local root compromise
Organization: Zembu Labs, Inc.

On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:

 > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
 > > OpenBSD 2.9,2.8
 > > Have not tested on other OSes but they may be vulnerable
 > 
 > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
 > privileges before allowing detach.

Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc.  This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).

A cursory glance shows several places where the FreeBSD kernel has
code like:

	/* sanity check */
	/* blocking call */
	/* change user/group ID */
	/* set P_SUGID */

During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>

----- End forwarded message -----

-- 
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010615191343.B545>