Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Sep 1997 22:48:57 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        tqbf@silence.secnet.com, Don Lewis <Don.Lewis@tsc.tdk.com>
Cc:        tqbf@enteract.com, freebsd-security@FreeBSD.ORG
Subject:   Re: OpenBSD Security Advisory: BSD I/O Signals
Message-ID:  <199709170548.WAA26312@salsa.gv.tsc.tdk.com>
In-Reply-To: tqbf@silence.secnet.com "Re: OpenBSD Security Advisory: BSD I/O Signals" (Sep 16, 11:15pm)

next in thread | raw e-mail | index | archive | help
On Sep 16, 11:15pm, tqbf@silence.secnet.com wrote:
} Subject: Re: OpenBSD Security Advisory: BSD I/O Signals
} 
} > random things from happening.  Now this is a stretch, but what if an
} > attacker subverted a root owned process to to a F_SETOWN, change uid to
} 
} The hole would be in the program that allowed an attacker to gain root
} access to fcntl, and there's not much you can do in the kernel to prevent
} the general case of this from remaining true.

I just found an exploit, but it's pretty weak.  You can use it to send
signals to processes that you don't own, but you can't choose the PID.

Ftpd does a F_SETOWN on its control socket before it does authentication,
which means that the credentials stashed away by F_SETOWN are root.  If
you log in as a normal user and you do an "ls -lR /" or something that
takes a long time, you can "kill -STOP" the ls process, and kill ftpd
entirely.  The "ls" process will keep the control socket open (its connected
to stdin), so whenever a process gets the old PID of ftpd, you can send it
a SIGURG.

A tiny hole, but it's there.

			---  Truck



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709170548.WAA26312>