Date: Mon, 22 Apr 2002 08:10:53 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: [VulnWatch] Pine Internet Advisory: Setuid application execution may give local root in FreeBSD Message-ID: <5.1.0.14.0.20020422080933.04501110@192.168.0.12>
next in thread | raw e-mail | index | archive | help
FYI >Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm >List-Post: <mailto:vulnwatch@vulnwatch.org> >List-Help: <mailto:vulnwatch-help@vulnwatch.org> >List-Unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org> >List-Subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org> >Delivered-To: mailing list vulnwatch@vulnwatch.org >Delivered-To: moderator for vulnwatch@vulnwatch.org >Date: Mon, 22 Apr 2002 10:58:25 +0200 >From: Patrick Oonk <patrick@pine.nl> >To: bugtraq@securityfocus.com >Cc: vulnwatch@vulnwatch.org >Reply-To: cert@pine.nl >User-Agent: Mutt/1.3.25i >X-Organization: Pine Internet B.V. >X-GSM: +31-6-24209907 >X-message: Dew on the telephone lines. >X-Zen: Ommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm >X-Coordinates: 52 04 43N - 4 17 27W >X-NCC-RegID: nl.pine >X-PGP-Fingerprint: DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934 >X-PGP-KeyID: 155C3934 >X-Virus-Scanned: amavis-20020220 >X-Virus-Scanned: by Pine Internet BV >Subject: [VulnWatch] Pine Internet Advisory: Setuid application execution >may give local root in FreeBSD > >-----BEGIN PGP SIGNED MESSAGE----- > > >----------------------------------------------------------------------------- > Pine Internet Security Advisory > >----------------------------------------------------------------------------- > Advisory ID : PINE-CERT-20020401 > Authors : Joost Pol <joost@pine.nl> > Issue date : 2002-04-22 > Application : Multiple > Version(s) : Multiple > Platforms : FreeBSD confirmed, maybe others. > Vendor informed : 20020406 > Availability : http://www.pine.nl/advisories/pine-cert-20020401.txt > >----------------------------------------------------------------------------- > >Synopsis > > It is possible for a local user to execute a suid application with > stdin, stdout or stderr closed. > >Impact > > HIGH. Local users should be able to gain root privileges. > >Description > > Consider the following (imaginary) suid application: > > -- begin of imaginary code snippet > > FILE * f = fopen("/etc/root_owned_file", "r+"); > > if(f) { > > fprintf(stderr, "%s: fopen() succeeded\n", argv[0]); > > fclose(f); > } > > -- end of imaginary code snippet > > Now, consider the following (imaginary) exploit: > > -- begin of imaginary exploit snippet > > while(dup(1) != -1); > > close(2); > > execl("/path/to/suid_application", > "this text will endup in the root_owned_file", 0); > > -- end of imaginary exploit snippet > > Exploitation has been confirmed using the S/KEY binaries. > >Solution > > FreeBSD source trees have been updated on the 21th of april 2002. > Please cvsup. > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3ia >Charset: noconv > >iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T >4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG >qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr >QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ >4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0 >p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ== >=AMED >-----END PGP SIGNATURE----- > >-- > patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick > T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl > PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF > Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ > Excuse of the day: it has Intel Inside -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020422080933.04501110>