Re: OpenBSD 2.9,2.8 local root compromise

From: Jason R Thorpe (thorpejat_private)
Date: Thu Jun 14 2001 - 23:38:03 PDT

Next message: Stephen Cope: "Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"

Previous message: Andreas Haugsnes: "Re: OpenBSD 2.9,2.8 local root compromise"
In reply to: Przemyslaw Frasunek: "Re: OpenBSD 2.9,2.8 local root compromise"
Next in thread: Andreas Haugsnes: "Re: OpenBSD 2.9,2.8 local root compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:

 > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
 > > OpenBSD 2.9,2.8
 > > Have not tested on other OSes but they may be vulnerable
 > 
 > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
 > privileges before allowing detach.

Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc.  This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).

A cursory glance shows several places where the FreeBSD kernel has
code like:

	/* sanity check */
	/* blocking call */
	/* change user/group ID */
	/* set P_SUGID */

During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.

-- 
        -- Jason R. Thorpe <thorpejat_private>

Next message: Stephen Cope: "Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Previous message: Andreas Haugsnes: "Re: OpenBSD 2.9,2.8 local root compromise"
In reply to: Przemyslaw Frasunek: "Re: OpenBSD 2.9,2.8 local root compromise"
Next in thread: Andreas Haugsnes: "Re: OpenBSD 2.9,2.8 local root compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 08:41:05 PDT