From owner-freebsd-security Mon Dec 10 10:24:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 0CD0937B417 for ; Mon, 10 Dec 2001 10:24:55 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id fBAIOs564736 for ; Mon, 10 Dec 2001 13:24:54 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 10 Dec 2001 13:18:29 -0500 To: security@freebsd.org From: Mike Tancsa Subject: AIO vulnerability (from bugtraq) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those not on bugtraq, ---Mike ------------------------------------------------------------------------------ Soniq Security Advisory David Rufino Dec 9, 2001 Race Condition in FreeBSD AIO implementation http://elysium.soniq.net/dr/tao/tao.html ------------------------------------------------------------------------------ RISK FACTOR: LOW SYNOPSIS AIO is a POSIX standard for asynchronous I/O. Under certain conditions, scheduled AIO operations persist after an execve, allowing arbitrary overwrites in the memory of the new process. Combined with the permission to execute suid binaries, this can yield elevated priviledges. Currently VFS_AIO is not enabled in the default FreeBSD kernel config, however comments in ``LINT'' suggest security issues have been known about privately for some time: # Use real implementations of the aio_* system calls. There are numerous # stability issues in the current aio code that make it unsuitable for # inclusion on shell boxes. The type of file descriptor used for the AIO operation is important. For instance operations on pipes will not complete fully after an execve, whereas operations on sockets will. It is not known whether AIO operations on hard disk files persist in the desired manner. VULNERABLE SYSTEMS FreeBSD 4-STABLE upto at least 28/10/01 RESOLUTION Currently there are no known patches to remove all security issues. However a patch is available to limit the use of AIO syscalls to root at http://elysium.soniq.net/dr/tao/patch-01 EXPLOIT Given that FreeBSD AIO is not in active use at the moment, I have made available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c CREDITS Discovery and exploitation was conducted by David Rufino. CONTACT INFORMATION dr+securityfocussucks@soniq.net http://elysium.soniq.net/dr/index.html ------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message