Date: Fri, 15 Jun 2001 19:13:43 +0200 From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu> To: freebsd-security@freebsd.org Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise Message-ID: <20010615191343.B545@petra.hos.u-szeged.hu>
next in thread | raw e-mail | index | archive | help
Hello, I do not think this should go without some investigation. The fact that the exploit code does not work as posted proves nothing. I am confident however that the Security Officer Team is already doing its job. ----- Forwarded message from Jason R Thorpe <thorpej@zembu.com> ----- Date: Thu, 14 Jun 2001 23:38:03 -0700 From: Jason R Thorpe <thorpej@zembu.com> To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> Cc: Georgi Guninski <guninski@guninski.com>, Bugtraq <BUGTRAQ@SECURITYFOCUS.COM> Subject: Re: OpenBSD 2.9,2.8 local root compromise Organization: Zembu Labs, Inc. On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote: > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > OpenBSD 2.9,2.8 > > Have not tested on other OSes but they may be vulnerable > > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id > privileges before allowing detach. Uh, the fundamental problem is that there's a chance to PT_ATTACH to such a process before the P_SUGID bit is set in the proc. This can happen when, e.g. the ucred structure is copied (there is a potentially blocking malloc() call in that path). A cursory glance shows several places where the FreeBSD kernel has code like: /* sanity check */ /* blocking call */ /* change user/group ID */ /* set P_SUGID */ During the /* blocking call */, another process can sneak in and PT_ATTACH the process that is about to become sugid. -- -- Jason R. Thorpe <thorpej@zembu.com> ----- End forwarded message ----- -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010615191343.B545>