Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Dec 2001 13:18:29 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        security@freebsd.org
Subject:   AIO vulnerability (from bugtraq)
Message-ID:  <5.1.0.14.0.20011210131730.04998cf0@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help 

For those not on bugtraq,

	---Mike

------------------------------------------------------------------------------
Soniq Security Advisory
David Rufino <dr@soniq.net> Dec 9, 2001

Race Condition in FreeBSD AIO implementation
http://elysium.soniq.net/dr/tao/tao.html
------------------------------------------------------------------------------

RISK FACTOR: LOW

SYNOPSIS

AIO is a POSIX standard for asynchronous I/O. Under certain conditions,
scheduled AIO operations persist after an execve, allowing arbitrary
overwrites in the memory of the new process. Combined with the permission
to execute suid binaries, this can yield elevated priviledges.
Currently VFS_AIO is not enabled in the default FreeBSD kernel config,
however comments in ``LINT'' suggest security issues have been known about
privately for some time:

# Use real implementations of the aio_* system calls.  There are numerous
# stability issues in the current aio code that make it unsuitable for
# inclusion on shell boxes.

The type of file descriptor used for the AIO operation is important. For
instance operations on pipes will not complete fully after an execve,
whereas operations on sockets will. It is not known whether AIO operations
on hard disk files persist in the desired manner.

VULNERABLE SYSTEMS

FreeBSD 4-STABLE upto at least 28/10/01

RESOLUTION

Currently there are no known patches to remove all security issues. However
a patch is available to limit the use of AIO syscalls to root at
http://elysium.soniq.net/dr/tao/patch-01

EXPLOIT

Given that FreeBSD AIO is not in active use at the moment, I have made
available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c

CREDITS

Discovery and exploitation was conducted by David Rufino.

CONTACT INFORMATION

dr+securityfocussucks@soniq.net
http://elysium.soniq.net/dr/index.html
-------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011210131730.04998cf0>