Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.191 -- FreeBSD-SA-02:23.stdio insecure handling of stdio file descriptors 23 April 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: stdio Vendor: FreeBSD Operating System: FreeBSD releases up to and including 4.5-RELEASE 4.5-STABLE prior to the correction date BSD UNIX Impact: Root Compromise Access Required: Existing Account - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:23.stdio Security Advisory The FreeBSD Project Topic: insecure handling of stdio file descriptors Category: core Module: kernel Announced: 2002-04-22 Credits: Joost Pol <joost@pine.nl> Affects: All releases of FreeBSD up to and including 4.5-RELEASE 4.5-STABLE prior to the correction date Corrected: 2002-04-21 13:06:45 UTC (RELENG_4) 2002-04-21 13:08:57 UTC (RELENG_4_5) 2002-04-21 13:10:51 UTC (RELENG_4_4) FreeBSD only: NO I. Background By convention, POSIX systems associate file descriptors 0, 1, and 2 with standard input, standard output, and standard error, respectively. Almost all applications give these stdio file descriptors special significance, such as writing error messages to standard error (file descriptor 2). In new processes, all file descriptors are duplicated from the parent process. Unless these descriptors are marked close-on-exec, they retain their state during an exec. All POSIX systems assign file descriptors in sequential order, starting with the lowest unused file descriptor. For example, if a newly exec'd process has file descriptors 0 and 1 open, but file descriptor 2 closed, and then opens a file, the new file descriptor is guaranteed to be 2 (standard error). II. Problem Description Some programs are set-user-id or set-group-id, and therefore run with increased privileges. If such a program is started with some of the stdio file descriptors closed, the program may open a file and inadvertently associate it with standard input, standard output, or standard error. The program may then read data from or write data to the file inappropriately. If the file is one that the user would normally not have privileges to open, this may result in an opportunity for privilege escalation. III. Impact Local users may gain superuser privileges. It is known that the `keyinit' set-user-id program is exploitable using this method. There may be other programs that are exploitable. IV. Workaround None. The set-user-id bit may be removed from `keyinit' using the following command, but note that there may be other programs that can be exploited. # chmod 0555 /usr/bin/keyinit V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - - ------------------------------------------------------------------------- sys/sys/filedesc.h RELENG_4 1.19.2.4 RELENG_4_5 1.19.2.3.6.1 RELENG_4_4 1.19.2.3.4.1 sys/kern/kern_exec.c RELENG_4 1.107.2.14 RELENG_4_5 1.107.2.13.2.1 RELENG_4_4 1.107.2.8.2.2 sys/kern/kern_descrip.c RELENG_4 1.81.2.11 RELENG_4_5 1.81.2.9.2.1 RELENG_4_4 1.81.2.8.2.1 sys/conf/newvers.sh RELENG_4_5 1.44.2.20.2.5 RELENG_4_4 1.44.2.17.2.10 - - ------------------------------------------------------------------------- VII. References PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPMRPoFUuHi5z0oilAQE0/AP/R2qPI5bI2XIFgQ6FL+m4rUZ7M6VQzZqY yzGskbEkG2LKTYPFQ/FF+Tx6ffbMicnyrTTvDcJ3F9lmKRNvPBVaOuiNBjkrLdQc rerg2aHSJunQCkcd7f/+RjxtWO8wbjTM9TXmc8X1G9kJGaglCwEfHkZJzmsyGDyD qjkDToXu9a8= =oXDh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPMV8Kih9+71yA2DNAQEOEQP8D3Rio3Wh9NBoTAx7n3Ft754oeQv3FANx UpJUFGmIpK3yiL+AvBIU01E+VOH3nElain/al1Mr9mpEYQ+UCOUQ8L6C02ZisI54 76QW+r0uHU5rwqoWqNOx5qvVzUZ29Q53DJJEe12MVZBuSJxaRs1EIFg4gTOVYLwd d0x7HOWoje8= =Nwtt -----END PGP SIGNATURE-----