copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» ESB-97.144 -- FreeBSD Security Advisory: FreeBSD-SA-...
ESB-97.144 -- FreeBSD Security Advisory: FreeBSD-SA-97:05.open -- security compromise via open()
Date:
30 October 1997
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.144 -- FreeBSD Security Advisory: FreeBSD-SA-97:05.open security compromise via open() 30 October 1997 =========================================================================== FreeBSD, Inc. has released the following advisory concerning a vulnerability in the open() system call. This vulnerability may allow local users to perform unauthorised IO instructions. Other versions of BSD based Unix operating systems implementations may also be susceptible to this vulnerability. Contact your vendor for further information. The following security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write this document, AUSCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. Contact information for FreeBSD is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/information/advisories.html If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - ---------------------------BEGIN INCLUDED TEXT-------------------- - ------BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-97:05 Security Advisory FreeBSD, Inc. Topic: security compromise via open() Category: core Module: kern Announced: 1997-10-29 Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14) FreeBSD-stable as of 1997/10/24 FreeBSD 2.1-stable as of 1997/10/29 FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/ ============================================================================= I. Background In FreeBSD, the open() system call is used in normal file operations. When calling open(), the caller should specify if the file is to be opened for reading, for writing or for both. The right to reading from and/or writing to a file is controlled by the file's mode bits in the filesystem. In FreeBSD, open() is also used to obtain the right to do privileged io instructions. II. Problem Description A problem exists in the open() syscall that allows processes to obtain a valid file descriptor without having read or write permissions on the file being opened. This is normally not a problem. The FreeBSD way of obtaining the right to do io instructions however, is based on the right to open a specific file (/dev/io). III. Impact The problem can be used by any user on the system to do unauthorised io instructions. IV. Workaround No workaround is available. V. Solution Apply the following patches. The first one in /usr/src/sys/kern, and the second one in /usr/src/sys/i386/i386, Rebuild your kernel, install it and reboot your system. patch 1: For FreeBSD-current before 1997/10/23: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.76 retrieving revision 1.77 diff -u -r1.76 -r1.77 --- vfs_syscalls.c 1997/10/12 20:24:27 1.76 +++ vfs_syscalls.c 1997/10/22 07:28:51 1.77 @@ -863,11 +863,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(SCARG(uap, flags)); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(SCARG(uap, flags)); cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ For FreeBSD 2.1.* and 2.2.*: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.5 diff -u -r1.51.2.5 vfs_syscalls.c --- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5 +++ vfs_syscalls.c 1997/10/28 22:04:43 @@ -688,11 +688,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(uap->flags); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(uap->flags); cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ patch 2: For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14: Index: mem.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v retrieving revision 1.38 retrieving revision 1.38.2.1 diff -u -r1.38 -r1.38.2.1 --- mem.c 1996/09/27 13:25:06 1.38 +++ mem.c 1997/10/23 22:14:24 1.38.2.1 @@ -169,6 +169,7 @@ int fmt; struct proc *p; { + int error; struct trapframe *fp; switch (minor(dev)) { @@ -179,6 +180,11 @@ return ENODEV; #endif case 14: + error = suser(p->p_ucred, &p->p_acflag); + if (error != 0) + return (error); + if (securelevel > 0) + return (EPERM); fp = (struct trapframe *)curproc->p_md.md_regs; fp->tf_eflags |= PSL_IOPL; break; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= - ------BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX skpX4qluhBM= =47P3 - ------END PGP SIGNATURE----- - ---------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNFhmmyh9+71yA2DNAQHoAQP/R+fZgt1g5K1ZSD4xJYmIs53uKJJ6xcva m5E/fPu2wn7tS2BCsfTEJKzMX5sBP92ymTc0c46g+mqDHVEhINF1OVx7S5KE52wd z0F6UqhaLfEOyjQL3RzjJG7FvTli1N/Bd+dapUk1lnbCBePTSkvMF0V6VRThGI1L SlNoC0ZD5fU= =yP9g -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=281