Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3854
HistoryDec 10, 2002 - 12:00 a.m.

Security Update: [CSSA-2002-SCO.43] UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability

2002-12-1000:00:00
vulners.com
12

To: [email protected] [email protected] [email protected]
[email protected]


                    SCO Security Advisory

Subject: UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor
race vulnerability
Advisory number: CSSA-2002-SCO.43
Issue date: 2002 December 09
Cross reference:


  1. Problem Description

      On current OpenBSD systems, any local user (being or not in
      the wheel group) can fill the kernel file descriptors table,
      leading to a denial of service. Because of a flaw in the way
      the kernel checks closed file descriptors 0-2 when running a
      setuid program, it is possible to combine these bugs and earn
      root access by winning a race condition.
    
      Since UnixWare does not have a global kernel file descriptors
      table (it has per-process dynamic file descriptors table), it
      is not prone to the denial of service attack and the race
      condition resulting in root exploit.
    
      The second problem, however, does exist - closing file
      descriptors 0, 1 and/or 2 before exec'ing a setuid program
      can make this program open files under these fds, which have
      special meanings for libc (stdin/out/err). Reading or writing
      to root-owned files can be made possible, since
      stdXX==opened_file.
    
      The fix done for BSD is to check (in the kernel) before
      exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
      if so redirect them to /dev/null. We have done the same fix
      for UnixWare.
    
      This fix will only kick in when an unprivileged process
      execs a set[ug]id program.
    
  2. Vulnerable Supported Versions

     System                          Binaries
     ----------------------------------------------------------------------
     UnixWare 7.1.1                  /etc/conf/pack.d/proc/Driver_atup.o
                                     /etc/conf/pack.d/proc/Driver_mp.o
    
     Open UNIX 8.0.0                 /etc/conf/pack.d/proc/Driver_atup.o
                                     /etc/conf/pack.d/proc/Driver_mp.o
    
  3. Solution

     The proper solution is to install the latest packages.
    
  4. UnixWare 7.1.1

     4.1 Location of Fixed Binaries
    
     ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
    
    
     4.2 Verification
    
     MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6
    
     md5 is available for download from
             ftp://ftp.sco.com/pub/security/tools
    
    
     4.3 Installing Fixed Binaries
    
     *** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO
               APPLYING THIS UPDATE.
    
     Upgrade the affected binaries with the following sequence:
    
     Download erg712059.711.pkg.Z to the /var/spool/pkg directory
    
     # uncompress /var/spool/pkg/erg712059.711.pkg.Z
     # pkgadd -d /var/spool/pkg/erg712059.711.pkg
    
  5. Open UNIX 8.0.0

     5.1 Location of Fixed Binaries
    
     ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
    
    
     5.2 Verification
    
     MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca
    
     md5 is available for download from
             ftp://ftp.sco.com/pub/security/tools
    
    
     5.3 Installing Fixed Binaries
    
     *** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO
               APPLYING THIS UPDATE.
    
     Upgrade the affected binaries with the following sequence:
    
     Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory
    
     # uncompress /var/spool/pkg/erg712059.ou8.pkg.Z
     # pkgadd -d /var/spool/pkg/erg712059.ou8.pkg
    
  6. References

     Specific references for this advisory:
    
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766
    
     SCO security resources:
    
             http://www.sco.com/support/security/index.html
    
     This security fix closes SCO incidents sr865063, fz526562,
     erg712059.
    
  7. Disclaimer

     SCO is not responsible for the misuse of any of the information
     we provide on this website and/or through our security
     advisories. Our advisories are a service to our customers
     intended to promote secure installation and use of SCO
     products.
    
  8. Acknowledgements

     FozZy <[email protected]>, et al. discovered and researched
     this vulnerability.
    

Related for SECURITYVULNS:DOC:3854