[23448] in bugtraq
AIO vulnerability
daemon@ATHENA.MIT.EDU (David Rufino)
Mon Dec 10 15:34:12 2001
Date: Mon, 10 Dec 2001 15:43:35 +0100
From: David Rufino <dr@soniq.net>
To: bugtraq@securityfocus.com
Message-ID: <20011210144335.GA6572@soniq.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="wRRV7LY7NUeQGEoC"
Content-Disposition: inline
--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="advisory.txt"
------------------------------------------------------------------------------
Soniq Security Advisory
David Rufino <dr@soniq.net> Dec 9, 2001
Race Condition in FreeBSD AIO implementation
http://elysium.soniq.net/dr/tao/tao.html
------------------------------------------------------------------------------
RISK FACTOR: LOW
SYNOPSIS
AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
scheduled AIO operations persist after an execve, allowing arbitrary
overwrites in the memory of the new process. Combined with the permission
to execute suid binaries, this can yield elevated priviledges.
Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
however comments in ``LINT'' suggest security issues have been known about
privately for some time:
# Use real implementations of the aio_* system calls. There are numerous
# stability issues in the current aio code that make it unsuitable for
# inclusion on shell boxes.
The type of file descriptor used for the AIO operation is important. For
instance operations on pipes will not complete fully after an execve,
whereas operations on sockets will. It is not known whether AIO operations
on hard disk files persist in the desired manner.
VULNERABLE SYSTEMS
FreeBSD 4-STABLE upto at least 28/10/01
RESOLUTION
Currently there are no known patches to remove all security issues. However
a patch is available to limit the use of AIO syscalls to root at
http://elysium.soniq.net/dr/tao/patch-01
EXPLOIT
Given that FreeBSD AIO is not in active use at the moment, I have made
available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c
CREDITS
Discovery and exploitation was conducted by David Rufino.
CONTACT INFORMATION
dr+securityfocussucks@soniq.net
http://elysium.soniq.net/dr/index.html
--wRRV7LY7NUeQGEoC--
