Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

OpenBSD Information for VU#314963

Date Notified:
Date Updated:
Statement Date:
Status Summary:Vulnerable

Vendor Statement

In July of 1998 the OpenBSD kernel was modified to populate file
descriptors 0-2 on exec for setuid (and setgid) processes. This
was done to defeat an attack on setuid programs that open files for
writing and also write to descriptors 0-2 (usually via stdin, stdout
or stderr).

The fix at that time didn't properly deal with the possibility that
the allocation of the dummy descriptors could fail due to a full
file descriptor table. It has come to our attention that there is
a winnable race condition when the file descriptor table is full,
allowing an fd 0-2 attack to succeed.

Credit for finding this goes to FozZy of Hackademy / Hackerz Voice.
Please see his advisory on bugtraq for more in-depth details.

The following patches are available:

OpenBSD-3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch

OpenBSD-3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch

OpenBSD-2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch

OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable
branches have already been patched.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information