Date: 30 October 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.144 -- FreeBSD Security Advisory: FreeBSD-SA-97:05.open
security compromise via open()
30 October 1997
===========================================================================
FreeBSD, Inc. has released the following advisory concerning a vulnerability
in the open() system call. This vulnerability may allow local users to
perform unauthorised IO instructions.
Other versions of BSD based Unix operating systems implementations may also
be susceptible to this vulnerability. Contact your vendor for further
information.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for FreeBSD is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- ---------------------------BEGIN INCLUDED TEXT--------------------
- ------BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-97:05 Security Advisory
FreeBSD, Inc.
Topic: security compromise via open()
Category: core
Module: kern
Announced: 1997-10-29
Affects: FreeBSD 2.1.*, FreeBSD 2.2.*,
FreeBSD-stable and FreeBSD-current
Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14)
FreeBSD-stable as of 1997/10/24
FreeBSD 2.1-stable as of 1997/10/29
FreeBSD only: yes
Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/
=============================================================================
I. Background
In FreeBSD, the open() system call is used in normal file operations.
When calling open(), the caller should specify if the file is
to be opened for reading, for writing or for both.
The right to reading from and/or writing to a file is controlled
by the file's mode bits in the filesystem.
In FreeBSD, open() is also used to obtain the right to do
privileged io instructions.
II. Problem Description
A problem exists in the open() syscall that allows processes
to obtain a valid file descriptor without having read or write
permissions on the file being opened. This is normally not a
problem. The FreeBSD way of obtaining the right to do io
instructions however, is based on the right to open a specific
file (/dev/io).
III. Impact
The problem can be used by any user on the system to do unauthorised
io instructions.
IV. Workaround
No workaround is available.
V. Solution
Apply the following patches. The first one in /usr/src/sys/kern,
and the second one in /usr/src/sys/i386/i386,
Rebuild your kernel, install it and reboot your system.
patch 1:
For FreeBSD-current before 1997/10/23:
Index: vfs_syscalls.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- vfs_syscalls.c 1997/10/12 20:24:27 1.76
+++ vfs_syscalls.c 1997/10/22 07:28:51 1.77
@@ -863,11 +863,13 @@
struct flock lf;
struct nameidata nd;
+ flags = FFLAGS(SCARG(uap, flags));
+ if ((flags & FREAD + FWRITE) == 0)
+ return (EINVAL);
error = falloc(p, &nfp, &indx);
if (error)
return (error);
fp = nfp;
- flags = FFLAGS(SCARG(uap, flags));
cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
For FreeBSD 2.1.* and 2.2.*:
Index: vfs_syscalls.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.51.2.5
diff -u -r1.51.2.5 vfs_syscalls.c
--- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5
+++ vfs_syscalls.c 1997/10/28 22:04:43
@@ -688,11 +688,13 @@
struct flock lf;
struct nameidata nd;
+ flags = FFLAGS(uap->flags);
+ if ((flags & FREAD + FWRITE) == 0)
+ return (EINVAL);
error = falloc(p, &nfp, &indx);
if (error)
return (error);
fp = nfp;
- flags = FFLAGS(uap->flags);
cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
p->p_dupfd = -indx - 1; /* XXX check for fdopen */
patch 2:
For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14:
Index: mem.c
===================================================================
RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
retrieving revision 1.38
retrieving revision 1.38.2.1
diff -u -r1.38 -r1.38.2.1
--- mem.c 1996/09/27 13:25:06 1.38
+++ mem.c 1997/10/23 22:14:24 1.38.2.1
@@ -169,6 +169,7 @@
int fmt;
struct proc *p;
{
+ int error;
struct trapframe *fp;
switch (minor(dev)) {
@@ -179,6 +180,11 @@
return ENODEV;
#endif
case 14:
+ error = suser(p->p_ucred, &p->p_acflag);
+ if (error != 0)
+ return (error);
+ if (securelevel > 0)
+ return (EPERM);
fp = (struct trapframe *)curproc->p_md.md_regs;
fp->tf_eflags |= PSL_IOPL;
break;
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications@freebsd.org
Security public discussion: security@freebsd.org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
- ------BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT
SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE
L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX
skpX4qluhBM=
=47P3
- ------END PGP SIGNATURE-----
- ---------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNFhmmyh9+71yA2DNAQHoAQP/R+fZgt1g5K1ZSD4xJYmIs53uKJJ6xcva
m5E/fPu2wn7tS2BCsfTEJKzMX5sBP92ymTc0c46g+mqDHVEhINF1OVx7S5KE52wd
z0F6UqhaLfEOyjQL3RzjJG7FvTli1N/Bd+dapUk1lnbCBePTSkvMF0V6VRThGI1L
SlNoC0ZD5fU=
=yP9g
-----END PGP SIGNATURE-----
|