Overview
The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. Other OS kernels may be vulnerable as well.
Description
The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. As a result, an attacker may be able to gain elevated privileges. |
Impact
A local attacker can gain root privileges. |
Solution
Apply a patch from your vendor. OpenBSD patches are available from: |
Vendor Information
OpenBSD Affected
Updated: May 16, 2002
Status
Affected
Vendor Statement
In July of 1998 the OpenBSD kernel was modified to populate file
descriptors 0-2 on exec for setuid (and setgid) processes. This
was done to defeat an attack on setuid programs that open files for
writing and also write to descriptors 0-2 (usually via stdin, stdout
or stderr).
The fix at that time didn't properly deal with the possibility that
the allocation of the dummy descriptors could fail due to a full
file descriptor table. It has come to our attention that there is
a winnable race condition when the file descriptor table is full,
allowing an fd 0-2 attack to succeed.
Credit for finding this goes to FozZy of Hackademy / Hackerz Voice.
Please see his advisory on bugtraq for more in-depth details.
The following patches are available:
OpenBSD-3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch
OpenBSD-3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch
OpenBSD-2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch
OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable
branches have already been patched.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group Affected
Notified: May 09, 2002 Updated: December 12, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Title
=====
SCO Security Advisory:
UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
Detail
======
______________________________________________________________________________
SCO Security Advisory
Subject:UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
Advisory number: CSSA-2002-SCO.43
Issue date: 2002 December 09
Cross reference:
______________________________________________________________________________
1. Problem Description
On current OpenBSD systems, any local user (being or not in
the wheel group) can fill the kernel file descriptors table,
leading to a denial of service. Because of a flaw in the way
the kernel checks closed file descriptors 0-2 when running a
setuid program, it is possible to combine these bugs and earn
root access by winning a race condition.
Since UnixWare does not have a global kernel file descriptors
table (it has per-process dynamic file descriptors table), it
is not prone to the denial of service attack and the race
condition resulting in root exploit.
The second problem, however, does exist - closing file
descriptors 0, 1 and/or 2 before exec'ing a setuid program
can make this program open files under these fds, which have
special meanings for libc (stdin/out/err). Reading or writing
to root-owned files can be made possible, since
stdXX==opened_file.
The fix done for BSD is to check (in the kernel) before
exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
if so redirect them to /dev/null. We have done the same fix
for UnixWare.
This fix will only kick in when an unprivileged process
execs a set[ug]id program.
2. Vulnerable Supported Versions
SystemBinaries
----------------------------------------------------------------------
UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.1
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
4.2 Verification
MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
*** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.711.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712059.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.711.pkg
5. Open UNIX 8.0.0
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
5.2 Verification
MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
*** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712059.ou8.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.ou8.pkg
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr865063, fz526562,
erg712059.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgements
FozZy <fozzy@dmpfrance.com>, et al. discovered and researched
this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: May 09, 2002 Updated: May 15, 2002
Status
Not Affected
Vendor Statement
Mac OS X does not contain this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: May 09, 2002 Updated: May 15, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. is not vulnerable since the skey program is not supported in Unicos and Unicos/mk.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Not Affected
Notified: May 09, 2002 Updated: May 15, 2002
Status
Not Affected
Vendor Statement
We are not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Not Affected
Notified: May 09, 2002 Updated: May 15, 2002
Status
Not Affected
Vendor Statement
HP-UX is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Not Affected
Notified: May 09, 2002 Updated: May 16, 2002
Status
Not Affected
Vendor Statement
IBM's AIX operating system is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Not Affected
Notified: May 09, 2002 Updated: May 15, 2002
Status
Not Affected
Vendor Statement
IRIX is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems Inc. Unknown
Notified: May 10, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Compaq Computer Corporation Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: May 09, 2002 Updated: May 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks Unknown
Notified: May 09, 2002 Updated: May 13, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Unknown
Notified: May 09, 2002 Updated: May 10, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SSH Communications Security Unknown
Notified: May 10, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: May 09, 2002 Updated: May 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This document was written by Ian A. Finlay.
Other Information
| CVE IDs: | None |
| Severity Metric: | 29.53 |
| Date Public: | 2002-05-09 |
| Date First Published: | 2002-05-24 |
| Date Last Updated: | 2002-12-12 16:00 UTC |
| Document Revision: | 26 |