ISS X-Force Database: bsd-exec-race-condition(7945): BSD exec() race condition

BSD exec() race condition

bsd-exec-race-condition (7945)

Medium Risk

Description:

The exec() system call in many BSD systems is vulnerable to a race condition. A local attacker could attach to a process loading a setuid/setgid image and modify the process to gain elevated privileges.

Platforms Affected:

FreeBSD, FreeBSD 4.3
FreeBSD, FreeBSD 4.4
FreeBSD, FreeBSD RELENG_4_3
FreeBSD, FreeBSD RELENG_4_4
NetBSD, NetBSD 1.4
NetBSD, NetBSD 1.4.1
NetBSD, NetBSD 1.4.2
NetBSD, NetBSD 1.4.3
NetBSD, NetBSD 1.5
NetBSD, NetBSD 1.5.1
NetBSD, NetBSD 1.5.2

Remedy:

For NetBSD 1.4 through 1.4.3:
Apply the SA2002-001-ptrace-1.4 patch, as listed in NetBSD Security Advisory 2002-001. See References.

For NetBSD 1.5 through 1.5.2:
Apply the SA2002-001-ptrace-1.5.patch, as listed in NetBSD Security Advisory 2002-001. See References.

For FreeBSD 4.4-STABLE, RELENG_4_3 and RELENG_4_4 :
Apply the exec patch, available from the FreeBSD, Inc. Security Advisory FreeBSD-SA-02:08. See References.

For FreeBSD 4.3 RELEASE :
Apply the exec-43R patch, available from the FreeBSD, Inc. Security Advisory FreeBSD-SA-02:08. See References.

As a workaround, disable all logins from untrusted users.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

FreeBSD Security Advisory FreeBSD-SA-02:08, race condition during exec may allow local root compromise at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:08.exec.asc.
NetBSD Security Advisory 2002-001, Close-on-exec, SUID and ptrace(2) at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc.
BID-3891: BSD exec() Race Condition Vulnerability
CVE-2002-2092: Race condition in exec in OpenBSD 4.0 and earlier, NetBSD 1.5.2 and earlier, and FreeBSD 4.4 and earlier allows local users to gain privileges by attaching a debugger to a process before the kernel has determined that the process is setuid or setgid.
OSVDB ID: 19475: Multiple BSD exec Race Condition Process Debugger Privilege Escalation

Reported:

Jan 16, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page