Bugtraq mailing list archives
Re: Multiple OS kernel insecure handling of stdio file descriptor
From: Carson Gaspar <carson () taltos org>
Date: Sat, 20 Jan 2007 10:35:10 -0800
Peter Jeremy wrote:
On 2007-Jan-18 22:21:52 +0800, XFOCUS Security Team <security () xfocus org> wrote:The affected OSes allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files. the attack which exploit this vulnerability possibly get root right.This vulnerability has been known for years. OpenBSD implemented a kernel check to block this attack in 1998. FreeBSD and NetBSD have similar kernel checks and I believe glibc also has checks to block this. It is disturbing that none of the commercial OS vendors appear to have bothered to protect against this.
Of course the _real_ problem is the badly written setuid app. Kernel checks for "special" fds are just a condom to try and protect against broken code. Not that such checks aren't a good idea (since so much code is so very broken), but any app that is vulnerable to this attack needs to be patched.
You'll note that the original advisory fails to specify any setuid apps that are vulnerable to this attack, other than their broken POC. *yawn*
-- Carson
Current thread:
- Multiple OS kernel insecure handling of stdio file descriptor XFOCUS Security Team (Jan 18)
- Re: Multiple OS kernel insecure handling of stdio file descriptor 3APA3A (Jan 18)
- Re: Multiple OS kernel insecure handling of stdio file descriptor Peter Jeremy (Jan 18)
- Re: Multiple OS kernel insecure handling of stdio file descriptor Carson Gaspar (Jan 22)
- Re: Multiple OS kernel insecure handling of stdio file descriptor Shiva Persaud (Jan 20)
- Re: Multiple OS kernel insecure handling of stdio file descriptor eugeny gladkih (Jan 23)
- Re: [Full-disclosure] Multiple OS kernel insecure handling of stdio file descriptor Troy Bollinger (Jan 22)
- Re: Multiple OS kernel insecure handling of stdio file descriptor eugeny gladkih (Jan 23)