Date: Tue, 10 Jul 2001 09:40:18 -0700 From: Jason DiCioccio <jdicioccio@epylon.com> To: 'Mike Tancsa' <mike@sentex.net>, security@freebsd.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01: Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFEFA3@goofy.epylon.lan>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, I just exploited it with the exploit posted to bugtraq, it is
trivial.. the only way I have found to temporarily stop stupid script
kiddies while I upgrade is:
touch /tmp/sh
chmod 0 /tmp/sh
I'd upgrade real soon..
Cheers,
- -JD-
- -----Original Message-----
From: Mike Tancsa [mailto:mike@sentex.net]
Sent: Tuesday, July 10, 2001 9:25 AM
To: security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:
Does anyone know if there are active exploits out there for this
issue ? Is
it trivial / script kiddie friendly hole ? Just trying to get a
sense of
how urgent it is to upgrade.
---Mike
At 07:02 AM 7/10/01 -0700, FreeBSD Security Advisories wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=====================================================================
>======== FreeBSD-SA-01:42
>Security Advisory
>
> FreeBSD, Inc.
>
>Topic: signal handling during exec may allow local root
> compromise
>
>Category: core
>Module: kernel
>Announced: 2001-07-10
>Credits: Georgi Guninski <guninski@guninski.com>
>Affects: All released versions of FreeBSD 4.x,
> FreeBSD 4.3-STABLE prior to the correction date.
>Corrected: 2001-07-09
>FreeBSD only: Yes
>
>I. Background
>
>When a process forks, it inherits the parent's signals. When the
>process execs, the kernel clears the signal handlers because they
>are not valid in the new address space.
>
>II. Problem Description
>
>A flaw exists in FreeBSD signal handler clearing that would allow
>for some signal handlers to remain in effect after the exec. Most
>of the signals were cleared, but some signal hanlders were not.
>This allowed an attacker to execute arbitrary code in the context of
>a setuid
>binary.
>
>All versions of 4.x prior to the correction date including and
>4.3-RELEASE are vulnerable to this problem. The problem has been
>corrected by copying the inherited signal handlers and resetting the
>signals instead of sharing the signal handlers.
>
>III. Impact
>
>Local users may be able to gain increased privileges on the local
>system.
>
>IV. Workaround
>
>Do not allow untrusted users to gain access to the local system.
>
>V. Solution
>
>One of the following:
>
>1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
>correction date.
>
>2) To patch your present system: download the relevant patch from
>the below location, and execute the following commands as root:
>
>[FreeBSD 4.1, 4.2, and 4.3 base systems]
>
>This patch has been verified to apply to FreeBSD 4.1, 4.2, and 4.3
>only. It may or may not apply to older releases.
>
># fetch
>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.pa
>tch # fetch
>ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.pa
>tch.asc
>
>Verify the detached PGP signature using your PGP utility.
>
># cd /usr/src/sys/kern
># patch -p < /path/to/patch
>
>[ Recompile your kernel as described in
>http://www.freebsd.org/handbook/kernelconfig.html and reboot the
>system ]
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (FreeBSD)
>Comment: FreeBSD: The Power To Serve
>
>iQCVAwUBO0sBrlUuHi5z0oilAQF4nAP/Wi8RsYGjJQ7NgP/+FwMs8/lekAJ9iEan
>3Ph7xpsFEhJFWhCfrhmM71fMnOwpZ5kijztSOEko7TMRzTtG+dZLKcCKmVg+a1dT
>SJmm2SJp3NE1nlYVqSH1vfVeVcJI5rtAQ33gTPhiL5U26AMr4wep/Elv1p/Shb/D
>CUpueXr6tEE=
>=n74Z
>-----END PGP SIGNATURE-----
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>;
iQA/AwUBO0swv1CmU62pemyaEQIRMwCgrtEr+ECiBqG3U2LVyiXr/4qG6d8AniiH
Hg2QUoJx7soua+XBKajtExuV
=Zw3k
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA02FFEFA3>