[luau] (Patched) FreeBSD Local Root exploit... it works ;)

R. Scott Belford sctinc at flex.com
Wed Apr 24 13:37:11 PDT 2002 

Many thanks again to you, Charles for this contribution.  Amazing.  It 
appears that, based on this link below that you provided, that this hole 
was known of back in the 80's.  Mercy.

http://groups.google.com/groups?q=checklist+security+setuid+-linux+group:alt.
security&hl=en&scoring=r&selm=1991May14.101450.830%40convex.com&rnum=1


A buddy I told about this sent this back to me yesterday.  It has been 
fixed.  Fifteen years.  Mercy.

It looks like the vulnerability you have described has been reported to 
the
FreeBSD security team and a patch is available.  The advisory below is 
dated
2002-04-22, very recent.  You can either download the patch and apply
manually or cvsup to 4.5-stable and pickup the fix that way.

-----BEGIN PGP SIGNED MESSAGE-----

==========================================================================
===
FreeBSD-SA-02:23.stdio                                      Security 
Advisory
                                                           The FreeBSD 
Project

Topic:          insecure handling of stdio file descriptors

Category:       core
Module:         kernel
Announced:      2002-04-22
Credits:        Joost Pol <joost at pine.nl>
Affects:        All releases of FreeBSD up to and including 4.5-RELEASE
                 4.5-STABLE prior to the correction date
Corrected:      2002-04-21 13:06:45 UTC (RELENG_4)
                 2002-04-21 13:08:57 UTC (RELENG_4_5)
                 2002-04-21 13:10:51 UTC (RELENG_4_4)
FreeBSD only:   NO

I.   Background

By convention, POSIX systems associate file descriptors 0, 1, and 2
with standard input, standard output, and standard error,
respectively.  Almost all applications give these stdio file
descriptors special significance, such as writing error messages to
standard error (file descriptor 2).

In new processes, all file descriptors are duplicated from the parent
process.  Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor.  For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

II.  Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges.  If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error.  The program may then read data from or write data to
the file inappropriately.  If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

III. Impact

Local users may gain superuser privileges.  It is known that the
`keyinit' set-user-id program is exploitable using this method.  There
may be other programs that are exploitable.

IV.  Workaround

None.  The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

V.   Solution

1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security
branches dated after the respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch 
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch
# fetch 
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
   Branch
- 
-------------------------------------------------------------------------
sys/sys/filedesc.h
   RELENG_4                                                       1.19.2.4
   RELENG_4_5                                                 1.19.2.3.6.1
   RELENG_4_4                                                 1.19.2.3.4.1
sys/kern/kern_exec.c
   RELENG_4                                                     1.107.2.14
   RELENG_4_5                                               1.107.2.13.2.1
   RELENG_4_4                                                1.107.2.8.2.2
sys/kern/kern_descrip.c
   RELENG_4                                                      1.81.2.11
   RELENG_4_5                                                 1.81.2.9.2.1
   RELENG_4_4                                                 1.81.2.8.2.1
sys/conf/newvers.sh
   RELENG_4_5                                                1.44.2.20.2.5
   RELENG_4_4                                               1.44.2.17.2.10
- 
-------------------------------------------------------------------------

mercy!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 5522 bytes
Desc: not available
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20020424/4e2fe10d/attachment-0001.bin>

More information about the LUAU mailing list