Bugtraq mailing list archives
CERT Vendor-Initiated Bulletin VB-96.06 - FreeBSD
From: cert-advisory () cert org (CERT Bulletin)
Date: Mon, 20 May 1996 21:04:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Vendor-Initiated Bulletin VB-96.06 May 20, 1996 Topic: unauthorized access via mount_union / mount_msdos (vfsload) Source: The FreeBSD Project, Inc. To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from the Free BSD Project, Inc. The FreeBSD Project urges you to act on this information as soon as possible. Their contact information is included in the forwarded text below; please contact them if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ ============================================================================= FreeBSD-SA-96:09 Security Advisory The FreeBSD Project, Inc. Topic: unauthorized access via mount_union / mount_msdos (vfsload) Category: core Module: libc Announced: 1996-05-17 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 1996-05-17 2.1-stable and 2.2-current sources Source: FreeBSD native bug FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:09/ ============================================================================= I. Background A bug was found in the vfsload(3) library call that affects all versions of FreeBSD from 2.0 through 2.2-CURRENT that caused a system vulnerability. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-18. The FreeBSD project is aware of active exploits of this vulnerability. All FreeBSD users are encouraged to use the workaround provided until they can update their operating system to a version with this vulnerability fixed. II. Problem Description The mount_union and mount_msdos programs invoke another system utility in an insecure fashion while setuid root. III. Impact The problem could allow local users to gain unauthorized permissions. This vulnerability can only be exploited by users with a valid account on the local system. IV. Solution(s) Update operating system sources and binaries to FreeBSD 2.1-stable or FreeBSD 2.2-current as distributed later than 1996-05-18 or if you are currently running 2.1 or later, you may apply the solution patches available at the URL listed at the top of this message. The OS updates fix the actual problem in the vfsload(3) library routine. Once the vfsload() library routine is fixed, the workaround listed below is not necessary to solve this problem. However, an additional stability problem has come to light (ref. FreeBSD SA-96:10) so the FreeBSD project suggests using both the setuid workaround and the solution for best results. V. Workaround This vulnerability can quickly and easily be limited by removing the setuid permission bit from the mount_union and mount_msdos program. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the command: % chmod u-s /sbin/mount_union /sbin/mount_msdos then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: % ls -l /sbin/mount_union /sbin/mount_msdos -r-xr-xr-x 1 root bin 151552 Apr 26 04:41 /sbin/mount_msdos -r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union In addition to changing the permissions on the executable files, if you have the source code installed, we suggest patching the sources so that mount_union will not be installed with the setuid bit set: *** /usr/src/sbin/mount_union/Makefile Sun Nov 20 14:47:52 1994 - - --- /usr/src/sbin/mount_union/Makefile Fri May 17 10:36:09 1996 *************** *** 8,14 **** CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT} .PATH: ${MOUNT} - - - BINOWN= root - - - BINMODE=4555 - - - .include <bsd.prog.mk> - - --- 8,11 ---- *** /usr/src/sbin/i386/mount_msdos/Makefile Sun Dec 4 00:01:24 1994 - - --- /usr/src/sbin/i386/mount_msdos/Makefile Fri May 17 11:31:57 1996 *************** *** 6,14 **** SRCS= mount_msdos.c getmntopts.c MAN8= mount_msdos.8 - - - BINOWN= root - - - BINMODE= 4555 - - - MOUNT= ${.CURDIR}/../../mount CFLAGS+= -I${MOUNT} .PATH: ${MOUNT} - - --- 6,11 ---- ============================================================================= The FreeBSD Project, Inc. Web Site: http://www.freebsd.com/ Confidential contacts: security-officer () freebsd org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications () freebsd org Security public discussion: security () freebsd org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= =========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert () cert org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request () cert org CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaDNPXVP+x0t4w7BAQESjAP/fi7bgKoABUbqBJ+6q3PojO5ER18hgo9o nAk6TMC+xlxyjOl7u2ZJeUvhUYaPnmkutSAXJkOHy7zGJ5yJFIznyJYjLjqaqwCU 4VYZ1TVc7U2bB+OwCErpGyOVi8+zmH7kcgn4J+a0aSfYwgP4pMpPxws+/VmbiB+U pl7qAXlOVFM= =TdzJ -----END PGP SIGNATURE-----
Current thread:
- Re: SunOS 4.1.4 fingerd, (continued)
- Re: SunOS 4.1.4 fingerd Steve Coleman - SEWP (May 17)
- Re: SunOS 4.1.4 fingerd bitblt () bitblt resnet cornell edu (May 17)
- Re: SunOS 4.1.4 fingerd Yiorgos Adamopoulos (May 17)
- Re: SunOS 4.1.4 fingerd David B. Vanderpool (May 17)
- Re: SunOS 4.1.4 fingerd Taner Halicioglu (May 17)
- Re: SunOS 4.1.4 fingerd Craig Raskin (May 17)
- Re: SunOS 4.1.4 fingerd Ed Arnold (May 16)
- Re: SunOS 4.1.4 fingerd Patrick Ferguson (May 20)
- Re: SunOS 4.1.4 fingerd Eilon Gishri (May 21)
- Re: SunOS 4.1.4 fingerd Alan Brown (May 22)
- CERT Vendor-Initiated Bulletin VB-96.06 - FreeBSD CERT Bulletin (May 20)
- Re: SunOS 4.1.4 fingerd invalid opcode (May 16)
- Re: TCP SYN probe detection tool available Henri Karrenbeld (May 16)
- Re: TCP SYN probe detection tool available Brian Mitchell (May 16)
- Re: TCP SYN probe detection tool available Mike Neuman (May 16)
- Re: TCP SYN probe detection tool available Darren Reed (May 26)
- Re: TCP SYN probe detection tool available JaDe (May 16)