Users login

Create an account »


Users login

Home » Hacking News » FreeBSD-SA-02:23.stdio


by Nikola Strahija on July 30th, 2002 By convention, POSIX systems associate file descriptors 0, 1, and 2 with standard input, standard output, and standard error, respectively. Almost all applications give these stdio file descriptors special significance, such as writing error messages to standard error (file descriptor 2).

In new processes, all file descriptors are duplicated from the parent
process. Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor. For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

II. Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges. If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error. The program may then read data from or write data to
the file inappropriately. If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

The original correction for this problem (corresponding to the first
revision of this advisory) contained an error. Systems using procfs
or linprocfs could still be exploited. The dates for the original,
incomplete correction were:

Corrected: 2002-04-21 13:06:45 UTC (RELENG_4)
2002-04-21 13:08:57 UTC (RELENG_4_5)
2002-04-21 13:10:51 UTC (RELENG_4_4)

III. Impact

Local users may gain superuser privileges. It is known that the
`keyinit' set-user-id program is exploitable using this method. There
may be other programs that are exploitable.

IV. Workaround

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

None. The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
4.6-RELEASE, and 4.6-STABLE]

Unmount all instances of the procfs and linprocfs filesystems using
the umount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V. Solution

The kernel was modified to check file descriptors 0, 1, and 2 when
starting a set-user-ID or set-group-ID executable. If any of these
are not in use, they will be redirected to /dev/null.

1) Upgrade your vulnerable system to 4.6-STABLE; or to any of
the RELENG_4_6 (4.6.1-RELEASE-p1), RELENG_4_5 (4.5-RELEASE-p10), or
RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

# fetch
# fetch

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
4.6-RELEASE, and 4.6-STABLE]

# fetch
# fetch

b) Execute the following commands as root:

# cd /usr/src
# patch

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »