BSD exec() race condition

bsd-exec-race-condition (7945) The risk level is classified as MediumMedium Risk

Description:

The exec() system call in many BSD systems is vulnerable to a race condition. A local attacker could attach to a process loading a setuid/setgid image and modify the process to gain elevated privileges.


Consequences:

Gain Privileges

Remedy:

For NetBSD 1.4 through 1.4.3:
Apply the SA2002-001-ptrace-1.4 patch, as listed in NetBSD Security Advisory 2002-001. See References.

For NetBSD 1.5 through 1.5.2:
Apply the SA2002-001-ptrace-1.5.patch, as listed in NetBSD Security Advisory 2002-001. See References.

For FreeBSD 4.4-STABLE, RELENG_4_3 and RELENG_4_4 :
Apply the exec patch, available from the FreeBSD, Inc. Security Advisory FreeBSD-SA-02:08. See References.

For FreeBSD 4.3 RELEASE :
Apply the exec-43R patch, available from the FreeBSD, Inc. Security Advisory FreeBSD-SA-02:08. See References.

As a workaround, disable all logins from untrusted users.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • FreeBSD Security Advisory FreeBSD-SA-02:08: race condition during exec may allow local root compromise.
  • NetBSD Security Advisory 2002-001: Close-on-exec, SUID and ptrace(2).
  • BID-3891: BSD exec() Race Condition Vulnerability
  • CVE-2002-2092: Race condition in exec in OpenBSD 4.0 and earlier, NetBSD 1.5.2 and earlier, and FreeBSD 4.4 and earlier allows local users to gain privileges by attaching a debugger to a process before the kernel has determined that the process is setuid or setgid.
  • OSVDB ID: 19475: Multiple BSD exec Race Condition Process Debugger Privilege Escalation

Platforms Affected:

  • FreeBSD FreeBSD 4.3
  • FreeBSD FreeBSD 4.4
  • FreeBSD FreeBSD RELENG_4_3
  • FreeBSD FreeBSD RELENG_4_4
  • NetBSD NetBSD 1.4
  • NetBSD NetBSD 1.4.1
  • NetBSD NetBSD 1.4.2
  • NetBSD NetBSD 1.4.3
  • NetBSD NetBSD 1.5
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2

Reported:

Jan 16, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page