OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
security_at_caldera.com
Date: Mon Dec 09 2002 - 15:41:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com scoannmodxenitec.on.ca full-disclosurelists.netsys.com

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
    Advisory number: CSSA-2002-SCO.43
    Issue date: 2002 December 09
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

             On current OpenBSD systems, any local user (being or not in
             the wheel group) can fill the kernel file descriptors table,
             leading to a denial of service. Because of a flaw in the way
             the kernel checks closed file descriptors 0-2 when running a
             setuid program, it is possible to combine these bugs and earn
             root access by winning a race condition.

             Since UnixWare does not have a global kernel file descriptors
             table (it has per-process dynamic file descriptors table), it
             is not prone to the denial of service attack and the race
             condition resulting in root exploit.

             The second problem, however, does exist - closing file
             descriptors 0, 1 and/or 2 before exec'ing a setuid program
             can make this program open files under these fds, which have
             special meanings for libc (stdin/out/err). Reading or writing
             to root-owned files can be made possible, since
             stdXX==opened_file.

             The fix done for BSD is to check (in the kernel) before
             exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
             if so redirect them to /dev/null. We have done the same fix
             for UnixWare.

             This fix will only kick in when an unprivileged process
             execs a set[ug]id program.

     
    2. Vulnerable Supported Versions

            System Binaries
            ----------------------------------------------------------------------
            UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
                                            /etc/conf/pack.d/proc/Driver_mp.o

            Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
                                            /etc/conf/pack.d/proc/Driver_mp.o

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.1

            4.1 Location of Fixed Binaries

            ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43

            4.2 Verification

            MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6

            md5 is available for download from
                    ftp://ftp.sco.com/pub/security/tools

            4.3 Installing Fixed Binaries

            *** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO
                      APPLYING THIS UPDATE.

            Upgrade the affected binaries with the following sequence:

            Download erg712059.711.pkg.Z to the /var/spool/pkg directory

            # uncompress /var/spool/pkg/erg712059.711.pkg.Z
            # pkgadd -d /var/spool/pkg/erg712059.711.pkg

    5. Open UNIX 8.0.0

            5.1 Location of Fixed Binaries

            ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43

            5.2 Verification

            MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca

            md5 is available for download from
                    ftp://ftp.sco.com/pub/security/tools

            5.3 Installing Fixed Binaries

            *** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO
                      APPLYING THIS UPDATE.

            Upgrade the affected binaries with the following sequence:

            Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory

            # uncompress /var/spool/pkg/erg712059.ou8.pkg.Z
            # pkgadd -d /var/spool/pkg/erg712059.ou8.pkg

    6. References

            Specific references for this advisory:

                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766

            SCO security resources:

                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr865063, fz526562,
            erg712059.

    7. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO
            products.

    8. Acknowledgements

            FozZy <fozzydmpfrance.com>, et al. discovered and researched
            this vulnerability.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAj31DfgACgkQaqoBO7ipriERpACdEFv/DwYTLOsISxk0mgtVLLX/
    cPAAoJ2yq5W9nUt+WHCeel0ApmUP0nbM
    =yQZv
    -----END PGP SIGNATURE-----