From owner-freebsd-security Sat Aug 2 22:07:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA04869 for security-outgoing; Sat, 2 Aug 1997 22:07:10 -0700 (PDT) Received: from limbo.senate.org (nathan@senate.org [204.141.125.38]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA04864 for ; Sat, 2 Aug 1997 22:07:06 -0700 (PDT) Received: (from nathan@localhost) by limbo.senate.org (8.8.6/8.8.6) id BAA15769; Sun, 3 Aug 1997 01:07:27 -0400 (EDT) From: Nathan Dorfman Message-Id: <199708030507.BAA15769@limbo.senate.org> Subject: Re: Vulnerability in 4.4BSD rfork() implementation In-Reply-To: from Marc Slemko at "Aug 2, 97 09:53:52 pm" To: marcs@znep.com (Marc Slemko) Date: Sun, 3 Aug 1997 01:07:27 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Sat, 2 Aug 1997, Thomas H. Ptacek wrote: > > > ---------------------------------------------------------------------------- > > > > OpenBSD Security Advisory > > > > August 2, 1997 > > > > Vulnerability in rfork() System Call > > > > ---------------------------------------------------------------------------- > > > > SYNOPSIS > > > > A vulnerability in certain 4.4BSD kernels allows processes to gain > > access to restricted resources by manipulating the file descriptor > > tables of SUID and SGID executables. Applications of this vulnerability > > will allow users to gain root access. > > > > ---------------------------------------------------------------------------- > > > > AFFECTED SYSTEMS > > > > It is believed that all 4.4BSD operating systems implementing the > > rfork() system call are currently vulnerable to this problem. These > > operating systems include OpenBSD 2.1 and FreeBSD 3.0. The OpenBSD > > project has resolved this problem in OpenBSD-current. > > Since this wasn't entirely clear on some of the FreeBSD aspects, a few > comments... > > First, this is a real hole. Earlier today it took me only a few minutes > to make a program to add another uid 0 to your passwd file to give you > root access. With the skeleton code posted in this advisory, it is even > easier. > > Secondly, FreeBSD 2.2 (probably any version of 2.2-current starting > around 1996/02/23) and 3.0 are both vulnerable. 2.1 and earlier are not. I compiled and ran the two tests below on a 3.0-CURRENT system (cvsuped and compiled Tue Jul 29 21:37:02 EDT 1997. It failed to create a /VULNERABLE.