Bugtraq mailing list archives

Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio

From: bert hubert <ahu () ds9a nl>
Date: Mon, 22 Apr 2002 22:28:22 +0200

Credits:        Joost Pol <joost () pine nl>


Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)

This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.

Linux 2.2.16    RedHat AXP              Not vulnerable (thanks fets)
Linux 2.5.6     Debian `Woody'          Not vulnerable
Linux 2.4.18    Debian `Potato'         Not vulnerable
OpenBSD 2.9                             Not vulnerable (thanks dim)
OpenBSD 3.0                             Not vulnerable (thanks sateh)
OpenBSD 3.1                             Not vulnerable (thanks dim)
OS X 10.1.4                             Not vulnerable (thanks sateh)
NetBSD 1.4.2                            Not vulnerable (thanks bounce)
Solaris 2.5.1-2.5.8                     Vulnerable

Code on http://ds9a.nl/setuid-fd-2.tar.gz 

For further tests, 'outer' might try to exhaust *all* available
filedescriptors except 0, 1 or 2. This is left as an exercise for the
reader, or maybe we will beat you to it. 

The trick is to leave enough fd's available for ld.so.

Regards,

bert

-- 
http://www.PowerDNS.com/pdns   Try our new database driven nameserver!
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Current thread:

FreeBSD Security Advisory FreeBSD-SA-02:23.stdio FreeBSD Security Advisories (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio bert hubert (Apr 22)
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Apr 22)
- <Possible follow-ups>
- Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Steven M. Bellovin (Apr 23)
  - trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio) James Ralston (Apr 24)