Hi I recently found a vulnerability in OpenBSD kernel that allows any user capable of executing a process to deliver SIGURG and SIGIO signals to any process (or group of process) owned by any user in the system. Although the default behaviour in OpenBSD is to ignore these signals, this issue could be an effective Denial of Service mechanism for processes that catch each of the two. Another vulnerability with the same consecuences was published and fixed in Linux and OpenBSD (http://www.openbsd.org/advisories/signal.txt). The vendor was already notified, and the issue was fixed but probably other bsd systems (such as NetBSD and FreeBSd) may be affected. Attached to this mail is a non official patch that fix the problem. Here is the technical description: Most Unix systems provide an asynchronic I/O mechanism: every time data arrives to an specific file descriptor, the operating system notifies the owner with a signal (SIGIO). In the case of sockets the process is notified when a packet with the Out of Band flag arrives with the SIGURG signal. This mechanism is activated through the function fcntl, with O_ASYNC flag, or ioctl with FIOASYNC. Which process is notified depends on the ownership of the file descriptor. Generally the owner of a file descriptor is the creator (the process that calls the socket function in the case of sockets). Under some circumstances it could be necesary for a process to yield the ownership of a file descriptor to another process (usually a child process). A process shouldn't yield ownership of a file descriptor to any process in the system. This issue was addressed in the bug already mentioned (http://www.openbsd.org/advisories/signal.txt). The management of the permissions to set the owner of a file descriptor is handled differently in Linux and OpenBSD. In linux, an EPERM error is returned when someone attempts to set the owner of a file descriptor to a process of another user. In OpenBSD, the function doesn't return an error, instead at the moment the system must deliver a signal, permissions are checked and a decision is made. To accomplish this check in the case of sockets, the OpenBSD kernel stores in the internal structure of each socket: so_siguid and so_sigeuid, with the information of the process that sets the ownership. This keeps an unauthorized process from opening, setting the asynchronous flag, or changing the ownership of a given file descriptor, and the delivery of signals. When a socket waits for connections using accept the new socket returned inherits the properties of the first socket. The bug exists in the routine that creates the new connected socket, sonewconn1. This routing doesn't copy the so_siguid y so_sigeuid fields of the socket structure. They are reset to zero in the new socket. Taking advantage of these two facts together, it is possible to create a socket, assign ownership to a different process, call accept and have the so_siguid and so_sigeuid flags resetted. This will leave us with a socket with a different owner than our process id, and with with the check performed at signal delivery time will always be cleared. Gustavo Ajzenman ==============[ CORE Security Technologies ]=============== Gustavo Ezequiel Ajzenman Sofware Developer gustavo.ajzenmanat_private Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires | Argentina Tel/Fax : (54 11) 4878-CORE (2673) info.argentinaat_private | www.corest.com ===================================================
This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 10:37:46 PDT