Bugtraq mailing list archives

linux kernel patch - suid procs exec'd with bad 0,1,2 fds

From: amsdenz () AAVID COM (Zachary Amsden)
Date: Tue, 4 Aug 1998 13:19:01 -0400


Patch for current linux kernels

If a priviledged process is exec'd by a user who closes
file descriptors on it, many poorly written programs do
not notice and libc printf functions may have access to
any files opened.  This can be used to crash the system
by corrupting memory or in some cases, compromise root.

This doesn't attempt to fix the fds for such a process,
that would be not quite right in a chrooted environment
with no /dev/null, and creating fake dentries and inode
is too much work for something that is not quite useful

Instead, we just fall through the standard error checks
and return EPERM


This doesn't break pipelines or any other traditional
UNIX functionality that I am aware of.

Zachary Amsden
amsden () andrew cmu edu



begin 666 suidbadfd.txt
M+2TM(&QI;G5X+V9S+V5X96,N8RYO;&0)1G)I($IU;" S,2 Q,3HS-CHT.2 Q
M.3DX#0HK*RL@;&EN=7@O9G,O97AE8RYC"4UO;B!!=6<@(#,@,3$Z-3 Z,3(@
M,3DY. T*0$ @+38U-2PQ," K-C4U+#$W($! #0H@"0DO*B!792!C86XG="!S
M=6ED+65X96-U=&4@:68@=V4G<F4@<VAA<FEN9R!P87)T<R!O9B!T:&4@97AE
M8W5T86)L92 J+PT*( D)+RH@;W(@:68@=V4G<F4@8F5I;F<@=')A8V5D("AO
M<B!I9B!S=6ED(&5X96-S(&%R92!N;W0@86QL;W=E9"D@(" @*B\-"B )"2\J
M("AC=7)R96YT+3YM;2T^8V]U;G0@/B Q(&ES(&]K+"!A<R!W92=L;"!G970@
M82!N97<@;6T@86YY=V%Y*2 @("HO#0HK"0DO*B!!;'-O(&1O;B=T('-U:60M
M97AE8R!P<F]C<R!W:71H(&)A9" P+#$L,B!F9',@9F]R('-E8W5R:71Y("U:
M02 J+PT*( D):68@*$E37TY/4U5)1"AI;F]D92D-"B )"2 @("!\?" H8W5R
M<F5N="T^9FQA9W,@)B!01E]05%)!0T5$*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF<RT^8V]U;G0@/B Q*0T*( D)(" @('Q\("AA=&]M:6-?<F5A9"@F8W5R
M<F5N="T^<VEG+3YC;W5N="D@/B Q*0T**PD)(" @('Q\("%&1%])4U-%5"@P
M+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\("%&1%])
M4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\
M("%&1%])4U-%5"@R+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)
M(" @('Q\($9$7TE34T54*# L("9C=7)R96YT+3YF:6QE<RT^8VQO<V5?;VY?
M97AE8RD-"BL)"2 @("!\?"!&1%])4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M
M/F-L;W-E7V]N7V5X96,I#0HK"0D@(" @?'P@1D1?25-3150H,BP@)F-U<G)E
M;G0M/F9I;&5S+3YC;&]S95]O;E]E>&5C*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF:6QE<RT^8V]U;G0@/B Q*2D@>PT*(" )"0EI9B H:61?8VAA;F=E("8F
M("%C87!A8FQE*$-!4%]31515240I*0T*(" )"0D)<F5T=7)N("U%4$5233L-
!"@``
`
end

Current thread:

Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 04)
- linux kernel patch - suid procs exec'd with bad 0,1,2 fds Zachary Amsden (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Kragen (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Pavel Kankovsky (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 David Damerell (Aug 06)
  - Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
    - Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Jeremiah Rothschild (Aug 10)
    - Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Scott Stone (Aug 10)
    - Network Associates Inc. Advisory (OpenBSD) Security Research Labs (Aug 10)
  - Re: Object tag crashes Internet Explorer 4.0 Alan Cox (Aug 07)
  - Description of the Eudora Security Hole Aleph One (Aug 07)
- resend Steve Bellovin (Aug 06)

(Thread continues...)