Home page logo

bugtraq logo Bugtraq mailing list archives

Re: OpenBSD 2.9,2.8 local root compromise
From: Jason R Thorpe <thorpej () zembu com>
Date: Thu, 14 Jun 2001 23:38:03 -0700

On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote:

On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote:
OpenBSD 2.9,2.8
Have not tested on other OSes but they may be vulnerable

FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id
privileges before allowing detach.

Uh, the fundamental problem is that there's a chance to PT_ATTACH to
such a process before the P_SUGID bit is set in the proc.  This can
happen when, e.g. the ucred structure is copied (there is a potentially
blocking malloc() call in that path).

A cursory glance shows several places where the FreeBSD kernel has
code like:

        /* sanity check */
        /* blocking call */
        /* change user/group ID */
        /* set P_SUGID */

During the /* blocking call */, another process can sneak in and PT_ATTACH
the process that is about to become sugid.

        -- Jason R. Thorpe <thorpej () zembu com>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]