Date: Tue, 16 Sep 1997 22:48:57 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: tqbf@silence.secnet.com, Don Lewis <Don.Lewis@tsc.tdk.com> Cc: tqbf@enteract.com, freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD Security Advisory: BSD I/O Signals Message-ID: <199709170548.WAA26312@salsa.gv.tsc.tdk.com> In-Reply-To: tqbf@silence.secnet.com "Re: OpenBSD Security Advisory: BSD I/O Signals" (Sep 16, 11:15pm)
next in thread | raw e-mail | index | archive | help
On Sep 16, 11:15pm, tqbf@silence.secnet.com wrote: } Subject: Re: OpenBSD Security Advisory: BSD I/O Signals } } > random things from happening. Now this is a stretch, but what if an } > attacker subverted a root owned process to to a F_SETOWN, change uid to } } The hole would be in the program that allowed an attacker to gain root } access to fcntl, and there's not much you can do in the kernel to prevent } the general case of this from remaining true. I just found an exploit, but it's pretty weak. You can use it to send signals to processes that you don't own, but you can't choose the PID. Ftpd does a F_SETOWN on its control socket before it does authentication, which means that the credentials stashed away by F_SETOWN are root. If you log in as a normal user and you do an "ls -lR /" or something that takes a long time, you can "kill -STOP" the ls process, and kill ftpd entirely. The "ls" process will keep the control socket open (its connected to stdin), so whenever a process gets the old PID of ftpd, you can send it a SIGURG. A tiny hole, but it's there. --- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709170548.WAA26312>