Date: Tue, 10 Jul 2001 12:25:03 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <5.1.0.14.0.20010710121959.03e50a40@marble.sentex.ca> In-Reply-To: <200107101402.f6AE2FK63559@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Does anyone know if there are active exploits out there for this issue ? Is it trivial / script kiddie friendly hole ? Just trying to get a sense of how urgent it is to upgrade. ---Mike At 07:02 AM 7/10/01 -0700, FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================= >FreeBSD-SA-01:42 Security Advisory > FreeBSD, Inc. > >Topic: signal handling during exec may allow local root > compromise > >Category: core >Module: kernel >Announced: 2001-07-10 >Credits: Georgi Guninski <guninski@guninski.com> >Affects: All released versions of FreeBSD 4.x, > FreeBSD 4.3-STABLE prior to the correction date. >Corrected: 2001-07-09 >FreeBSD only: Yes > >I. Background > >When a process forks, it inherits the parent's signals. When the >process execs, the kernel clears the signal handlers because they are >not valid in the new address space. > >II. Problem Description > >A flaw exists in FreeBSD signal handler clearing that would allow for >some signal handlers to remain in effect after the exec. Most of the >signals were cleared, but some signal hanlders were not. This allowed >an attacker to execute arbitrary code in the context of a setuid >binary. > >All versions of 4.x prior to the correction date including and >4.3-RELEASE are vulnerable to this problem. The problem has been >corrected by copying the inherited signal handlers and resetting the >signals instead of sharing the signal handlers. > >III. Impact > >Local users may be able to gain increased privileges on the local >system. > >IV. Workaround > >Do not allow untrusted users to gain access to the local system. > >V. Solution > >One of the following: > >1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the >correction date. > >2) To patch your present system: download the relevant patch from the >below location, and execute the following commands as root: > >[FreeBSD 4.1, 4.2, and 4.3 base systems] > >This patch has been verified to apply to FreeBSD 4.1, 4.2, and 4.3 only. >It may or may not apply to older releases. > ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch.asc > >Verify the detached PGP signature using your PGP utility. > ># cd /usr/src/sys/kern ># patch -p < /path/to/patch > >[ Recompile your kernel as described in >http://www.freebsd.org/handbook/kernelconfig.html and reboot the >system ] > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (FreeBSD) >Comment: FreeBSD: The Power To Serve > >iQCVAwUBO0sBrlUuHi5z0oilAQF4nAP/Wi8RsYGjJQ7NgP/+FwMs8/lekAJ9iEan >3Ph7xpsFEhJFWhCfrhmM71fMnOwpZ5kijztSOEko7TMRzTtG+dZLKcCKmVg+a1dT >SJmm2SJp3NE1nlYVqSH1vfVeVcJI5rtAQ33gTPhiL5U26AMr4wep/Elv1p/Shb/D >CUpueXr6tEE= >=n74Z >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010710121959.03e50a40>