From owner-freebsd-security  Fri Jun 15 10:14: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3])
	by hub.freebsd.org (Postfix) with ESMTP id 7F0DC37B401
	for <freebsd-security@freebsd.org>; Fri, 15 Jun 2001 10:13:47 -0700 (PDT)
	(envelope-from sziszi@petra.hos.u-szeged.hu)
Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4)
	id TAA14874; Fri, 15 Jun 2001 19:13:45 +0200 (MEST)
Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian))
	id 15AxAF-0000pt-00
	for <freebsd-security@freebsd.org>; Fri, 15 Jun 2001 19:13:43 +0200
Date: Fri, 15 Jun 2001 19:13:43 +0200
From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
To: freebsd-security@freebsd.org
Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise
Message-ID: <20010615191343.B545@petra.hos.u-szeged.hu>
Mail-Followup-To: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>,
	freebsd-security@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

I do not think this should go without some investigation. The fact that the
exploit code does not work as posted proves nothing.

I am confident however that the Security Officer Team is already doing its
job.
----- Forwarded message from Jason R Thorpe <thorpej@zembu.com> -----

Date: Thu, 14 Jun 2001 23:38:03 -0700
From: Jason R Thorpe <thorpej@zembu.com>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: Georgi Guninski <guninski@guninski.com>,
	Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Subject: Re: OpenBSD 2.9,2.8 local root compromise
Organization: Zembu Labs, Inc.

On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:

 > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
 > > OpenBSD 2.9,2.8
 > > Have not tested on other OSes but they may be vulnerable
 > 
 > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
 > privileges before allowing detach.

Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc.  This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).

A cursory glance shows several places where the FreeBSD kernel has
code like:

	/* sanity check */
	/* blocking call */
	/* change user/group ID */
	/* set P_SUGID */

During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>

----- End forwarded message -----

-- 
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message