From owner-freebsd-security Tue Sep 16 22:49:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA18344 for security-outgoing; Tue, 16 Sep 1997 22:49:30 -0700 (PDT) Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA18332 for ; Tue, 16 Sep 1997 22:49:25 -0700 (PDT) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP id WAA01109; Tue, 16 Sep 1997 22:49:00 -0700 (PDT) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA01558; Tue, 16 Sep 1997 22:48:59 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA26312; Tue, 16 Sep 1997 22:48:57 -0700 (PDT) From: Don Lewis Message-Id: <199709170548.WAA26312@salsa.gv.tsc.tdk.com> Date: Tue, 16 Sep 1997 22:48:57 -0700 In-Reply-To: tqbf@silence.secnet.com "Re: OpenBSD Security Advisory: BSD I/O Signals" (Sep 16, 11:15pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: tqbf@silence.secnet.com, Don Lewis Subject: Re: OpenBSD Security Advisory: BSD I/O Signals Cc: tqbf@enteract.com, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sep 16, 11:15pm, tqbf@silence.secnet.com wrote: } Subject: Re: OpenBSD Security Advisory: BSD I/O Signals } } > random things from happening. Now this is a stretch, but what if an } > attacker subverted a root owned process to to a F_SETOWN, change uid to } } The hole would be in the program that allowed an attacker to gain root } access to fcntl, and there's not much you can do in the kernel to prevent } the general case of this from remaining true. I just found an exploit, but it's pretty weak. You can use it to send signals to processes that you don't own, but you can't choose the PID. Ftpd does a F_SETOWN on its control socket before it does authentication, which means that the credentials stashed away by F_SETOWN are root. If you log in as a normal user and you do an "ls -lR /" or something that takes a long time, you can "kill -STOP" the ls process, and kill ftpd entirely. The "ls" process will keep the control socket open (its connected to stdin), so whenever a process gets the old PID of ftpd, you can send it a SIGURG. A tiny hole, but it's there. --- Truck