-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

             ESB-2002.372 -- FreeBSD-SA-02:23.stdio [REVISED]
                insecure handling of stdio file descriptors
                               31 July 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                stdio
Vendor:                 FreeBSD
Operating System:       FreeBSD releases up to and including 4.6-RELEASE
                        FreeBSD 4.6-STABLE prior to the correction date
                        BSD
                        UNIX
Impact:                 Root Compromise
Access Required:        Existing Account

Ref:                    ESB-2002.191

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:23.stdio                                      Security Advisory
                                                          The FreeBSD Project

Topic:          insecure handling of stdio file descriptors

Category:       core
Module:         kernel
Announced:      2002-04-22
Credits:        Joost Pol <joost@pine.nl>,
                Georgi Guninski <guninski@guninski.com>
Affects:        All releases of FreeBSD up to and including 4.6-RELEASE
                4.6-STABLE prior to the correction date
Corrected:      2002-07-30 15:40:46 UTC (RELENG_4)
                2002-07-30 15:42:11 UTC (RELENG_4_6)
                2002-07-30 15:42:46 UTC (RELENG_4_5)
                2002-07-30 15:43:17 UTC (RELENG_4_4)
FreeBSD only:   NO

0.   Revision History

v1.0  2002-04-22  Initial release
v1.1  2002-04-23  Patch and revision numbers updated
v1.2  2002-07-29  procfs issue; updated patch

I.   Background

By convention, POSIX systems associate file descriptors 0, 1, and 2
with standard input, standard output, and standard error,
respectively.  Almost all applications give these stdio file
descriptors special significance, such as writing error messages to
standard error (file descriptor 2).

In new processes, all file descriptors are duplicated from the parent
process.  Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor.  For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

II.  Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges.  If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error.  The program may then read data from or write data to
the file inappropriately.  If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

The original correction for this problem (corresponding to the first
revision of this advisory) contained an error.  Systems using procfs
or linprocfs could still be exploited.  The dates for the original,
incomplete correction were:

Corrected:      2002-04-21 13:06:45 UTC (RELENG_4)
                2002-04-21 13:08:57 UTC (RELENG_4_5)
                2002-04-21 13:10:51 UTC (RELENG_4_4)

III. Impact

Local users may gain superuser privileges.  It is known that the
`keyinit' set-user-id program is exploitable using this method.  There
may be other programs that are exploitable.

IV.  Workaround

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

None.  The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
 4.6-RELEASE, and 4.6-STABLE]

Unmount all instances of the procfs and linprocfs filesystems using
the umount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V.   Solution

The kernel was modified to check file descriptors 0, 1, and 2 when
starting a set-user-ID or set-group-ID executable.  If any of these
are not in use, they will be redirected to /dev/null.

1) Upgrade your vulnerable system to 4.6-STABLE; or to any of
the RELENG_4_6 (4.6.1-RELEASE-p1), RELENG_4_5 (4.5-RELEASE-p10), or
RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.


[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2.asc

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
 4.6-RELEASE, and 4.6-STABLE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- - -------------------------------------------------------------------------
sys/sys/filedesc.h
  RELENG_4                                                       1.19.2.4
  RELENG_4_6                                                     1.19.2.4
  RELENG_4_5                                                 1.19.2.3.6.1
  RELENG_4_4                                                 1.19.2.3.4.1
sys/kern/kern_exec.c
  RELENG_4                                                     1.107.2.15
  RELENG_4_6                                               1.107.2.14.2.1
  RELENG_4_5                                               1.107.2.13.2.2
  RELENG_4_4                                                1.107.2.8.2.3
sys/kern/kern_descrip.c
  RELENG_4                                                      1.81.2.12
  RELENG_4_6                                                    1.81.2.14
  RELENG_4_5                                                 1.81.2.9.2.2
  RELENG_4_4                                                 1.81.2.8.2.2
sys/conf/newvers.sh
  RELENG_4_6                                                1.44.2.23.2.6
  RELENG_4_5                                               1.44.2.20.2.11
  RELENG_4_4                                               1.44.2.17.2.16
- - -------------------------------------------------------------------------

VII. References

PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPUbXw1UuHi5z0oilAQFgKQP/eOnmHorw/4NVEAEKTQp4+X7Px9p1wUGq
6OcLH5GuTbbwexd7KbCjbjzNZF7zgz1Qph2v7NQXb+W/ZaW2hEgcoURXkBomVxjl
61oXu72P35bmgNo7GQ794v/WDHd8FymtBv0kyY/vuZqg6l99tTuwi2ryV1ZszVrh
w21lAbhkyQo=
=YGVw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPUfGXSh9+71yA2DNAQEkRAP/fhg7ZWa+eapmeXyGS6yZ376SpoYGM1hi
thV2LB7yo5NQUCoSs2sSDyTKdV5lgflumPXTT8mOT9oM5wlqc8Mwh96/VIL4w/DB
thSvENtZIUidBCzIvw3ZYa10OGVYaWbacGy/ksKvxs01n3Vu4sWGmRRvjdtbgFC6
KLN35WtBoVU=
=6SXG
-----END PGP SIGNATURE-----