Bugtraq mailing list archives
Re: *BSD procfs vulnerability
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 23 Jan 2000 19:17:34 -0700
Fast Emergency AVET Response SECURITY ADVISORY January 2000 FEAR ID: 1 *BSD procfs vulnerability
[...]
The solution (by deraadt) is to add a certain check in execve syscall. If a process X tries to exec a setuid binary, we make sure it holds no open descriptors pointing into procfs filesystem.
Actually, my patch only checks descriptors 0, 1, and 2. Todd and I thought long and hard, and could not think of a setuid process which would expect a provided descriptor higher than 2 to be kosher for writing to. Such processes are very careful with those descriptors. But descriptors 0, 1, and 2 are special cased by libc. libc assumes it can splat to them, and setuid programs use libc. While mostly dealing with procfs, this advisory also has a lot in common with the un-allocated fd advisory that we made available in June of 1998. In that case, leaving file descriptors 0, 1, or 2 unallocated at execution time would cause a setuid process to open it's next descriptor into one of those slots. For sake of argument, let's pick 2 (0 and 1 are open on files, 2 is not). If the setuid process opens a new file for write, which becomes descriptor 2, and then a bad condition causes it to write to stderr, it will have written over the file it opened. See http://www.openbsd.org/errata23.html#fdalloc We actually never found anything that could be exploited by this problem, but we didn't look for a specific attacks to this generic problem. Instead, we fixed the kernel because we feel that setuid programmers already have far too much to worry about, without having to worry about descriptors 0, 1, and 2 being allocated. The reason I mention all this, is that the handling for this procfs issue is now handled by the same chunk of code that solves the fdalloc issue...
Current thread:
- Re: IIS still revealing paths for web directories, (continued)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
- Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
- secure-programs howto Signal 11 (Jan 09)