Vulnerability Note VU#314963

OpenBSD kernel fails to properly check closed file descriptors "0-2" when running setuid program

Overview

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. Other OS kernels may be vulnerable as well.

I. Description

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. As a result, an attacker may be able to gain elevated privileges.

II. Impact

A local attacker can gain root privileges.

III. Solution

Apply a patch from your vendor.

OpenBSD patches are available from:

OpenBSD Patch 026_fdalloc2.patch:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch

OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch

OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch

Systems Affected

Vendor	Status	Date Notified
Apple Computer Inc.	Not Vulnerable	15-May-2002
BSDI	Unknown	15-May-2002
Cisco Systems Inc.	Unknown	15-May-2002
Compaq Computer Corporation	Unknown	15-May-2002
Cray Inc.	Not Vulnerable	15-May-2002
Data General	Unknown	15-May-2002
Debian	Unknown	15-May-2002
FreeBSD	Not Vulnerable	15-May-2002
Fujitsu	Unknown	10-May-2002
Guardian Digital Inc.	Unknown	15-May-2002
Hewlett-Packard Company	Not Vulnerable	15-May-2002
IBM	Not Vulnerable	16-May-2002
MandrakeSoft	Unknown	15-May-2002
NEC Corporation	Unknown	15-May-2002
NetBSD	Unknown	15-May-2002
Nortel Networks	Unknown	13-May-2002
OpenBSD	Vulnerable	16-May-2002
Red Hat Inc.	Unknown	10-May-2002
Sequent	Unknown	15-May-2002
SGI	Not Vulnerable	15-May-2002
Sony Corporation	Unknown	15-May-2002
SSH Communications Security	Unknown	15-May-2002
Sun Microsystems Inc.	Unknown	15-May-2002
SuSE Inc.	Unknown	15-May-2002
The SCO Group	Vulnerable	12-Dec-2002
Unisys	Unknown	15-May-2002

References

http://www.dmpfrance.com/fd_openbsd.c
http://www.securityfocus.com/bid/4708
http://www.openbsd.org/errata.html#fdalloc2
http://www.openbsd.org/errata30.html#fdalloc2

Credit

This document was written by Ian A. Finlay.

Other Information

Date Public:	2002-05-09
Date First Published:	2002-05-24
Date Last Updated:	2002-12-12
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	29.53
Document Revision:	24

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader