--BzCohdixPhurzSK4 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable ----- Forwarded message from security-officerat_private ----- Delivered-To: freebsd-announceat_private From: security-officerat_private To: freebsd-announceat_private Cc: security-notificationsat_private Subject: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques Date: Fri, 03 Sep 1999 23:29:36 -0600 X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD-SA-99:01 Security Adviso= ry FreeBSD, In= c. Topic: BSD File Flags and Programming Techniques Category: core Module: kernel Announced: 1999-09-04 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of 1999/08/02 FreeBSD-3.2-stable as of 1999/08/02 FreeBSD-2.2.8-stable as of 1999/08/04 FreeBSD only: NO Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:01/ I. Background =20 BSD 4.4 added various flags to files in the file system. These flags control various aspects of which operations are permitted on those files. Historically, root has been been able to do all of these operations so many programs that knew they were running as root didn't check to make sure that these operations succeeded. II. Problem Description A user can set flags and mode on the device which they logged into. Since a bug in login and other similar programs causes the normal chown to fail, this first user will own the terminal of any login. III. Impact Local users can execute a man-in-the-middle attack against any other user (including root) when the other users logs in. This give them the ability to snoop and alter all text that the user writes. Results of this include the ability to execute commands as the user, and stealing the user's password (and anything else the users writes over the connection, including passwords for other machines). IV. Workaround None. V. Solution FreeBSD-current Index: kern/vfs_syscalls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.125 retrieving revision 1.128 diff -u -r1.125 -r1.128 --- vfs_syscalls.c 1999/07/29 17:02:56 1.125 +++ vfs_syscalls.c 1999/08/04 04:52:18 1.128 @@ -1892,13 +1892,23 @@ int error; struct vattr vattr; + /* + * Prevent non-root users from setting flags on devices. When + * a device is reused, users can retain ownership of the device + * if they are allowed to set flags and programs assume that + * chown can't fail when done as root. + */ + if ((vp->v_type =3D=3D VCHR || vp->v_type =3D=3D VBLK) &&=20 + ((error =3D suser_xxx(p->p_ucred, p, PRISON_ROOT)) !=3D 0)) + return (error); + VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p); VATTR_NULL(&vattr); vattr.va_flags =3D flags; error =3D VOP_SETATTR(vp, &vattr, p->p_ucred, p); VOP_UNLOCK(vp, 0, p); - return error; + return (error); } /* FreeBSD-3.2-stable Index: kern/vfs_syscalls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.112.2.3 retrieving revision 1.112.2.5 diff -u -r1.112.2.3 -r1.112.2.5 --- vfs_syscalls.c 1999/07/30 01:07:23 1.112.2.3 +++ vfs_syscalls.c 1999/08/11 21:39:50 1.112.2.5 @@ -1839,13 +1839,23 @@ int error; struct vattr vattr; + /* + * Prevent non-root users from setting flags on devices. When + * a device is reused, users can retain ownership of the device + * if they are allowed to set flags and programs assume that + * chown can't fail when done as root. + */ + if ((vp->v_type =3D=3D VCHR || vp->v_type =3D=3D VBLK) &&=20 + ((error =3D suser(p->p_ucred, &p->p_acflag)) !=3D 0)) + return (error); + VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p); VATTR_NULL(&vattr); vattr.va_flags =3D flags; error =3D VOP_SETATTR(vp, &vattr, p->p_ucred, p); VOP_UNLOCK(vp, 0, p); - return error; + return (error); } /* FreeBSD 2.2.8-stable: Index: kern/vfs_syscalls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.7 retrieving revision 1.51.2.8 diff -u -r1.51.2.7 -r1.51.2.8 --- vfs_syscalls.c 1998/07/03 03:50:31 1.51.2.7 +++ vfs_syscalls.c 1999/08/04 18:58:56 1.51.2.8 @@ -1439,6 +1439,17 @@ if (error) return (error); vp =3D nd.ni_vp; + if ((error =3D VOP_GETATTR(vp, &vattr, p->p_ucred, p))) + return (error); + /* + * Prevent non-root users from setting flags on devices. When + * a device is reused, users can retain ownership of the device + * if they are allowed to set flags and programs assume that + * chown can't fail when done as root. + */ + if ((vp->v_type =3D=3D VCHR || vp->v_type =3D=3D VBLK) && + ((error =3D suser(p->p_ucred, &p->p_acflag)) !=3D 0)) + return (error); LEASE_CHECK(vp, p, p->p_ucred, LEASE_WRITE); VOP_LOCK(vp); VATTR_NULL(&vattr); VI. Credits Theo de Raadt came up with the firewalling solution presented here. lumpyat_private brought this problem to light. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officerat_private Security notifications: security-notificationsat_private Security public discussion: freebsd-securityat_private PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.a= sc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9CAHFUuHi5z0oilAQEJPwP/XhzCOs4ipJkZIPWlSDvsvPLcJWXzb3HK Fs8gLV3CPnW7YdSpveosI3hBY9WNCVAFx9WkM5+n+FBSRfbRzFJkkblN85ZCz7pI +RXg6Sv5vuzy6SRxMRK2vu1FXuwZevVQaMq4ANUXpdo5MyUE8rMGb9PLWdxOxdf5 s6zlG0oFyvI=3D =3DCqoX -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomoat_private with "unsubscribe freebsd-announce" in the body of the message ----- End forwarded message ----- --=20 Patrick Oonk - PO1-6BONE - patrickat_private - www.pine.nl/~patrick Pine Internet B.V. PGP key ID BE7497F1 =20 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- Excuse of the day: Your Flux Capacitor has gone bad. --BzCohdixPhurzSK4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQB1AwUBN9C+UvMOST2+dJfxAQErmQL/f5kwbuySzxKESwwCEpU4lneiVMhjd/qc v150Z1qAlAK9iT5lyvEZNS9Bomn7WDeBBEOKpDGLx2eRDtwYsIz1jAZpjIteawoC rwBabJslk06O0+WcuAuGczO7Sz9242Cc =2RYb -----END PGP SIGNATURE----- --BzCohdixPhurzSK4--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:44 PDT