[25210] in bugtraq
Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
daemon@ATHENA.MIT.EDU (bert hubert)
Mon Apr 22 18:08:30 2002
Date: Mon, 22 Apr 2002 22:28:22 +0200
From: bert hubert <ahu@ds9a.nl>
To: Bugtraq <bugtraq@securityfocus.com>
Message-ID: <20020422222822.A27144@outpost.ds9a.nl>
Mail-Followup-To: bert hubert <ahu@ds9a.nl>,
Bugtraq <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200204221801.g3MI1Zu96486@freefall.freebsd.org>; from security-advisories@freebsd.org on Mon, Apr 22, 2002 at 11:01:35AM -0700
> Credits: Joost Pol <joost@pine.nl>
Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)
This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.
Linux 2.2.16 RedHat AXP Not vulnerable (thanks fets)
Linux 2.5.6 Debian `Woody' Not vulnerable
Linux 2.4.18 Debian `Potato' Not vulnerable
OpenBSD 2.9 Not vulnerable (thanks dim)
OpenBSD 3.0 Not vulnerable (thanks sateh)
OpenBSD 3.1 Not vulnerable (thanks dim)
OS X 10.1.4 Not vulnerable (thanks sateh)
NetBSD 1.4.2 Not vulnerable (thanks bounce)
Solaris 2.5.1-2.5.8 Vulnerable
Code on http://ds9a.nl/setuid-fd-2.tar.gz
For further tests, 'outer' might try to exhaust *all* available
filedescriptors except 0, 1 or 2. This is left as an exercise for the
reader, or maybe we will beat you to it.
The trick is to leave enough fd's available for ld.so.
Regards,
bert
--
http://www.PowerDNS.com/pdns Try our new database driven nameserver!
http://www.tk the dot in .tk
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
