Computer Security
[EN] securityvulns.ru no-pyccku


Unzuthorized file access via file stdio decriptors in multiple Unix systems
updated since 22.04.2002
Published:18.01.2007
Source:
SecurityVulns ID:1956
Type:client
Threat Level:
8/10
Description:By exhausting all file descriptors and closing stderr it's possible to causesituation called application will open new file with descriptor 2 and all stderr output will be redirected to file. In few systems it's enougth to close standard descriptor.
Affected:FREEBSD : FreeBSD 5.0
 OPENBSD : OpenBSD 2.9
 SCO : UnixWare 7.1
 HP : HP-UX 11.11
 OPENBSD : OpenBSD 3.0
 SCO : Open UNIX 8.0
 FREEBSD : FreeBSD 4.5
 OPENBSD : OpenBSD 3.1
 ORACLE : Solaris 9
 IBM : AIX 5.3
CVE:CVE-2007-0394 (HP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.)
 CVE-2007-0393 (Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.)
 CVE-2007-0392 (IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.)
 CVE-2002-0572 (FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files.)
Original documentdocumentXFOCUS, Multiple OS kernel insecure handling of stdio file descriptor (18.01.2007)
 documentCALDERA, Security Update: [CSSA-2002-SCO.43] UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability (10.12.2002)
 documentfozzy_(at)_dmpfrance.com, OpenBSD local DoS and root exploit (10.05.2002)
 documentPatrick Oonk, Pine Internet Advisory: Setuid application execution may give local root in FreeBSD (23.04.2002)
 documentFREEBSD, Security Advisory FreeBSD-SA-02:23.stdio (23.04.2002)
 documentSECURITEAM, [UNIX] Suid Application Execution May Give Local Root (22.04.2002)
Files:stdio kernel bug in All releases of FreeBSD
 Proof Of Concept exploit for the Freebsd file descriptors bug

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod