Bugtraq mailing list archives

Re: *BSD procfs vulnerability

From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 23 Jan 2000 19:17:34 -0700

                        Fast Emergency AVET Response
                             SECURITY ADVISORY
                                January 2000
                                 FEAR ID: 1
                         *BSD procfs vulnerability

[...]


    The solution (by deraadt) is to add a certain check in execve syscall. If
a process X tries to exec a setuid binary, we make sure it holds no open
descriptors pointing into procfs filesystem.


Actually, my patch only checks descriptors 0, 1, and 2.  Todd and I
thought long and hard, and could not think of a setuid process which
would expect a provided descriptor higher than 2 to be kosher for
writing to.  Such processes are very careful with those descriptors.

But descriptors 0, 1, and 2 are special cased by libc.  libc assumes
it can splat to them, and setuid programs use libc.

While mostly dealing with procfs, this advisory also has a lot in
common with the un-allocated fd advisory that we made available in
June of 1998.  In that case, leaving file descriptors 0, 1, or 2
unallocated at execution time would cause a setuid process to open
it's next descriptor into one of those slots.  For sake of argument,
let's pick 2 (0 and 1 are open on files, 2 is not).  If the setuid
process opens a new file for write, which becomes descriptor 2, and
then a bad condition causes it to write to stderr, it will have
written over the file it opened.

See http://www.openbsd.org/errata23.html#fdalloc

We actually never found anything that could be exploited by this
problem, but we didn't look for a specific attacks to this generic
problem.  Instead, we fixed the kernel because we feel that setuid
programmers already have far too much to worry about, without having
to worry about descriptors 0, 1, and 2 being allocated.

The reason I mention all this, is that the handling for this procfs
issue is now handled by the same chunk of code that solves the fdalloc
issue...

Current thread:

Re: IIS still revealing paths for web directories, (continued)
- - - Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
    - usual iploggers miss some variable stealth scans vecna (Jan 17)
    - Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
    - AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
    - AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
    - Warning: VCasel security hole. bob mare (Jan 18)
    - Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
    - Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
    - Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
    - *BSD procfs vulnerability FEAR Advisories (Jan 21)
    - Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
    - stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
    - Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
    - Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
    - Administrivia Elias Levy (Jan 18)
    - Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
    - ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
    - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
    - Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
    - secure-programs howto Signal 11 (Jan 09)

(Thread continues...)