From owner-freebsd-security Sat Aug 2 20:52:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA02429 for security-outgoing; Sat, 2 Aug 1997 20:52:00 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA02418 for ; Sat, 2 Aug 1997 20:51:56 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id VAA11192 for freebsd-security@FreeBSD.ORG; Sat, 2 Aug 1997 21:51:55 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id VAA15642 for ; Sat, 2 Aug 1997 21:53:52 -0600 (MDT) Date: Sat, 2 Aug 1997 21:53:52 -0600 (MDT) From: Marc Slemko To: freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability in 4.4BSD rfork() implementation In-Reply-To: <199708030102.UAA20008@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, 2 Aug 1997, Thomas H. Ptacek wrote: > ---------------------------------------------------------------------------- > > OpenBSD Security Advisory > > August 2, 1997 > > Vulnerability in rfork() System Call > > ---------------------------------------------------------------------------- > > SYNOPSIS > > A vulnerability in certain 4.4BSD kernels allows processes to gain > access to restricted resources by manipulating the file descriptor > tables of SUID and SGID executables. Applications of this vulnerability > will allow users to gain root access. > > ---------------------------------------------------------------------------- > > AFFECTED SYSTEMS > > It is believed that all 4.4BSD operating systems implementing the > rfork() system call are currently vulnerable to this problem. These > operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD > project has resolved this problem in OpenBSD-current. Since this wasn't entirely clear on some of the FreeBSD aspects, a few comments... First, this is a real hole. Earlier today it took me only a few minutes to make a program to add another uid 0 to your passwd file to give you root access. With the skeleton code posted in this advisory, it is even easier. Secondly, FreeBSD 2.2 (probably any version of 2.2-current starting around 1996/02/23) and 3.0 are both vulnerable. 2.1 and earlier are not. Third, I would recommend the use of the loadable module included in the advisory to close the hole temporarily until there is a FreeBSD advisory or patch. While the supplied patch for kern_exec looks fine, using the module is easier and saves you having to do things twice when an official patch comes out. Few things (very few...) use rfork() so it shouldn't hurt much. To use the loadable module, unarchive the shell archive included in the origial post, type "make", then do something like: modload -e disable_rfork disable_rfork.o as root. You should get a kernel message that the rfork() call is disabled. You should probably make it load at boot to prevent someone from deliberately crashing the system to remove the protection.