Date: Tue, 10 Jul 2001 12:25:03 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <5.1.0.14.0.20010710121959.03e50a40@marble.sentex.ca> In-Reply-To: <200107101402.f6AE2FK63559@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Does anyone know if there are active exploits out there for this issue ? Is
it trivial / script kiddie friendly hole ? Just trying to get a sense of
how urgent it is to upgrade.
---Mike
At 07:02 AM 7/10/01 -0700, FreeBSD Security Advisories wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>FreeBSD-SA-01:42 Security Advisory
> FreeBSD, Inc.
>
>Topic: signal handling during exec may allow local root
> compromise
>
>Category: core
>Module: kernel
>Announced: 2001-07-10
>Credits: Georgi Guninski <guninski@guninski.com>
>Affects: All released versions of FreeBSD 4.x,
> FreeBSD 4.3-STABLE prior to the correction date.
>Corrected: 2001-07-09
>FreeBSD only: Yes
>
>I. Background
>
>When a process forks, it inherits the parent's signals. When the
>process execs, the kernel clears the signal handlers because they are
>not valid in the new address space.
>
>II. Problem Description
>
>A flaw exists in FreeBSD signal handler clearing that would allow for
>some signal handlers to remain in effect after the exec. Most of the
>signals were cleared, but some signal hanlders were not. This allowed
>an attacker to execute arbitrary code in the context of a setuid
>binary.
>
>All versions of 4.x prior to the correction date including and
>4.3-RELEASE are vulnerable to this problem. The problem has been
>corrected by copying the inherited signal handlers and resetting the
>signals instead of sharing the signal handlers.
>
>III. Impact
>
>Local users may be able to gain increased privileges on the local
>system.
>
>IV. Workaround
>
>Do not allow untrusted users to gain access to the local system.
>
>V. Solution
>
>One of the following:
>
>1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
>correction date.
>
>2) To patch your present system: download the relevant patch from the
>below location, and execute the following commands as root:
>
>[FreeBSD 4.1, 4.2, and 4.3 base systems]
>
>This patch has been verified to apply to FreeBSD 4.1, 4.2, and 4.3 only.
>It may or may not apply to older releases.
>
># fetch
>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch
># fetch
>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch.asc
>
>Verify the detached PGP signature using your PGP utility.
>
># cd /usr/src/sys/kern
># patch -p < /path/to/patch
>
>[ Recompile your kernel as described in
>http://www.freebsd.org/handbook/kernelconfig.html and reboot the
>system ]
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (FreeBSD)
>Comment: FreeBSD: The Power To Serve
>
>iQCVAwUBO0sBrlUuHi5z0oilAQF4nAP/Wi8RsYGjJQ7NgP/+FwMs8/lekAJ9iEan
>3Ph7xpsFEhJFWhCfrhmM71fMnOwpZ5kijztSOEko7TMRzTtG+dZLKcCKmVg+a1dT
>SJmm2SJp3NE1nlYVqSH1vfVeVcJI5rtAQ33gTPhiL5U26AMr4wep/Elv1p/Shb/D
>CUpueXr6tEE=
>=n74Z
>-----END PGP SIGNATURE-----
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010710121959.03e50a40>