[21029] in bugtraq
Re: OpenBSD 2.9,2.8 local root compromise
daemon@ATHENA.MIT.EDU (Jason R Thorpe)
Fri Jun 15 11:40:46 2001
Date: Thu, 14 Jun 2001 23:38:03 -0700
From: Jason R Thorpe <thorpej@zembu.com>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Cc: Georgi Guninski <guninski@guninski.com>,
Bugtraq <BUGTRAQ@securityfocus.com>
Message-ID: <20010614233803.A459@dr-evil.shagadelic.org>
Reply-To: thorpej@zembu.com
Mail-Followup-To: Jason R Thorpe <thorpej@zembu.com>,
Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
Georgi Guninski <guninski@guninski.com>,
Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010614190931.H50393@riget.scene.pl>; from venglin@freebsd.lublin.pl on Thu, Jun 14, 2001 at 07:09:31PM +0200
On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:
> On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
> > OpenBSD 2.9,2.8
> > Have not tested on other OSes but they may be vulnerable
>
> FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
> privileges before allowing detach.
Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc. This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).
A cursory glance shows several places where the FreeBSD kernel has
code like:
/* sanity check */
/* blocking call */
/* change user/group ID */
/* set P_SUGID */
During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.
--
-- Jason R. Thorpe <thorpej@zembu.com>
