Bugtraq mailing list archives
Re: OpenBSD 2.9,2.8 local root compromise
From: Jason R Thorpe <thorpej () zembu com>
Date: Thu, 14 Jun 2001 23:38:03 -0700
On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:
On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:OpenBSD 2.9,2.8 Have not tested on other OSes but they may be vulnerableFreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id privileges before allowing detach.
Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc. This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).
A cursory glance shows several places where the FreeBSD kernel has
code like:
/* sanity check */
/* blocking call */
/* change user/group ID */
/* set P_SUGID */
During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.
--
-- Jason R. Thorpe <thorpej () zembu com>
Current thread:
- OpenBSD 2.9,2.8 local root compromise Georgi Guninski (Jun 14)
- Re: OpenBSD 2.9,2.8 local root compromise Przemyslaw Frasunek (Jun 14)
- Re: OpenBSD 2.9,2.8 local root compromise Jason R Thorpe (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Andreas Haugsnes (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Rick Updegrove (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Georgi Guninski (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise dmuz (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Andreas Haugsnes (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Tony Lambiris (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Peter van Dijk (Jun 16)
- Re: OpenBSD 2.9,2.8 local root compromise Jason R Thorpe (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise jon (Jun 15)
- <Possible follow-ups>
- RE: OpenBSD 2.9,2.8 local root compromise Brian McKinney (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Przemyslaw Frasunek (Jun 14)