ISS X-Force Database: bsd-suid-apps-gain-privileges(8920): Multiple BSD suid programs can be used to gain elevated privileges

Multiple BSD suid programs can be used to gain elevated privileges

bsd-suid-apps-gain-privileges (8920)

High Risk

Description:

A vulnerability in the handling of stdio file descriptors in multiple BSD implementations could allow a local attacker to gain elevated privileges. If a local attacker opens a suid program that has either the stdin, stdout, or stderr file descriptor closed (0, 1, or 2 in POSIX systems), the attacker could gain elevated privileges by opening a file that they would not normally have access to, which would be assigned to the next available file descriptor. This would allow an attacker to write data to or read data from the file using the parent suid program. An attacker could exploit this vulnerability to gain root privileges on the system.

Note: In OpenBSD systems, root privileges can be obtained by exploiting a race condition that occurs once the kernel file descriptor table has been filled.

Platforms Affected:

Compaq, Tru64 4.0g
FreeBSD, FreeBSD 4.1
FreeBSD, FreeBSD 4.1.1
FreeBSD, FreeBSD 4.2
FreeBSD, FreeBSD 4.3
FreeBSD, FreeBSD 4.4
FreeBSD, FreeBSD 4.5
OpenBSD, OpenBSD 2.9
OpenBSD, OpenBSD 3.0
OpenBSD, OpenBSD 3.1

Remedy:

For all versions of FreeBSD including FreeBSD 4.5-RELEASE and 4.5-STABLE:
Upgrade to the latest version of FreeBSD (4.5-STABLE dated 2002-04-21 or later) or the latest RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security branches (dated 2002-04-21 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:23.stdio. See References.

— OR —

Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:23.stdio. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

BugTraq Mailing List, Mon Apr 22 2002 - 14:23:51 CDT, Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio at http://archives.neohapsis.com/archives/bugtraq/2002-04/0304.html.
BugTraq Mailing List, Mon Apr 22 2002 - 14:23:51 CDT, Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio at http://archives.neohapsis.com/archives/bugtraq/2002-04/0304.html.
BugTraq Mailing List, Thu May 09 2002 - 08:11:31 CDT, OpenBSD local DoS and root exploit at http://archives.neohapsis.com/archives/bugtraq/2002-05/0066.html.
BugTraq Mailing List, Thu May 09 2002 - 10:27:40 CDT, Re: OpenBSD local DoS and root exploit at http://archives.neohapsis.com/archives/bugtraq/2002-05/0067.html.
BugTraq Mailing List, Tue Apr 23 2002 - 01:24:08 CDT, cheers at http://archives.neohapsis.com/archives/bugtraq/2002-04/0318.html.
CIAC Information Bulletin M-072, FreeBSD stdio File Descriptors Vulnerability at http://www.ciac.org/ciac/bulletins/m-072.shtml.
FreeBSD Security Advisory FreeBSD-SA-02:23.stdio, insecure handling of stdio file descriptors at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc.
Georgi Guninski Security Advisory #56, 2002, FreeBSD <=4.6 kernel problems, yet Linux and *BSD much better than Windows at http://www.guninski.com/freebsd2.html.
OpenBSD 2.9 errata, 026: SECURITY FIX: May 8, 2002 at http://www.openbsd.org/errata29.html.
OpenBSD 3.0 errata, 021: SECURITY FIX: May 8, 2002 at http://www.openbsd.org/errata30.html.
OpenBSD 3.1 errata, 003: SECURITY FIX: May 8, 2002 at http://www.openbsd.org/errata.html.
Pine Internet Security Advisory PINE-CERT-20020401, Suid application execution may give local root at http://www.pine.nl/advisories/pine-cert-20020401.html.
BID-4568: BSD exec C Library Standard I/O File Descriptor Closure Vulnerability
BID-4708: Multiple Vendor exec C Library Standard I/O File Descriptor Race Condition Vulnerability
CVE-2002-0572: FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files.
CVE-2002-0820: FreeBSD kernel 4.6 and earlier closes the file descriptors 0, 1, and 2 after they have already been assigned to /dev/null when the descriptors reference procfs or linprocfs, which could allow local users to reuse the file descriptors in a setuid or setgid program to modify critical data and gain privileges.
OSVDB ID: 6095: Multiple BSD exec C File Descriptor Privilege Escalation
US-CERT VU#809347: FreeBSD privilege elevation vulnerability

Reported:

Apr 22, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page