Date: Tue, 18 Feb 1997 19:50:52 -0800 From: Cy Schubert <cy@cwsys.cwent.com> To: tqbf@enteract.com Cc: freebsd-security@freebsd.org Subject: Re: Security problem in FreeBSD /sbin/init Message-ID: <199702190351.TAA01277@cwsys.cwent.com> In-Reply-To: Your message of "Tue, 18 Feb 1997 19:34:11 CST." <199702190134.TAA12057@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > This problem will probably be picked up by the sweeping audit of your code > base, but I figured I'd alert you to it anyways. > > FreeBSD, in revisions up to and including -current, has a stack overrun in > /sbin/init. The affected routines are "start_getty()" and > "start_window_system()", both of which can be tricked into reading an > overly large "type" entry from the /etc/ttys file (which is copied into an > array on the stack used to hold the "TERM" environment variable for a > subsequent execve() call). > > This overflow is only exploitable if you control /etc/ttys. On almost all > systems, this means it's only an issue if you're root. > > Unfortunately, this is a serious issue in init's case. Unbeknownst to > many, init (or, more specifically, PID 1) can change the securelevel > arbitrarily in 4.4BSD systems. The purpose of securelevels is to "secure > the system from root", disabling the modification of crucial system > binaries. The "immutable" flag depends on this concept. This overflow > provides intruders with a means to evade the immutable (or append-only, or > any other securelevel-dependant concept) mechanism. > > Given my relative unfamiliarity with the FreeBSD CVS "protocol", such as > it is, I'll leave it for another developer to fix this. The problem is an > unchecked string copy in both routines, and can easily be resolved by > sticking an "n" in the strcpy() function call. > > Good luck with the audit. I don't think this is a security problem since /sbin/init has permissions of 500 and /etc/ttys has permissions of 644. Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702190351.TAA01277>