Bugtraq mailing list archives
Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
From: bert hubert <ahu () ds9a nl>
Date: Mon, 22 Apr 2002 22:28:22 +0200
Credits: Joost Pol <joost () pine nl>
Joost rules. And my apologies to Pine for always being late paying my bills. Sorry :-) This is a simple test, executing a setuid process with filedescriptor 2 closed, and then opening a file and seeing what fd it gets. Linux 2.2.16 RedHat AXP Not vulnerable (thanks fets) Linux 2.5.6 Debian `Woody' Not vulnerable Linux 2.4.18 Debian `Potato' Not vulnerable OpenBSD 2.9 Not vulnerable (thanks dim) OpenBSD 3.0 Not vulnerable (thanks sateh) OpenBSD 3.1 Not vulnerable (thanks dim) OS X 10.1.4 Not vulnerable (thanks sateh) NetBSD 1.4.2 Not vulnerable (thanks bounce) Solaris 2.5.1-2.5.8 Vulnerable Code on http://ds9a.nl/setuid-fd-2.tar.gz For further tests, 'outer' might try to exhaust *all* available filedescriptors except 0, 1 or 2. This is left as an exercise for the reader, or maybe we will beat you to it. The trick is to leave enough fd's available for ld.so. Regards, bert -- http://www.PowerDNS.com/pdns Try our new database driven nameserver! http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Current thread:
- FreeBSD Security Advisory FreeBSD-SA-02:23.stdio FreeBSD Security Advisories (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio bert hubert (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Apr 22)
- <Possible follow-ups>
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Steven M. Bellovin (Apr 23)
- trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio) James Ralston (Apr 24)