|
Unzuthorized file access via file stdio decriptors in multiple Unix systems
updated since 22.04.2002 | | Published: |  | 18.01.2007 | | Source: |  | SECURITEAM | | SecurityVulns ID: |  | 1956 | | Type: |  | client | | Level: |  | 8/10 | | Description: |  | By exhausting all file descriptors and closing stderr it's possible to causesituation called application will open new file with descriptor 2 and all stderr output will be redirected to file. In few systems it's enougth to close standard descriptor. |
| Affected: |  | FREEBSD : FreeBSD 5.0 | | | | OPENBSD : OpenBSD 2.9 | | | | SCO : UnixWare 7.1 | | | | HP : HP-UX 11.11 | | | | OPENBSD : OpenBSD 3.0 | | | | SCO : Open UNIX 8.0 | | | | FREEBSD : FreeBSD 4.5 | | | | OPENBSD : OpenBSD 3.1 | | | | SUN : Solaris 9 | | | | IBM : AIX 5.3 | | CVE: |  | CVE-2007-0394 (HP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.) | | | | CVE-2007-0393 (Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.) | | | | CVE-2007-0392 (IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.) | | | | CVE-2002-0572 (FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files.) |
|
|
|
|
|
