Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
From: bert hubert <ahu () ds9a nl>
Date: Mon, 22 Apr 2002 22:28:22 +0200
Credits:        Joost Pol <joost () pine nl>


Joost rules. And my apologies to Pine for always being late paying my bills.
Sorry :-)

This is a simple test, executing a setuid process with filedescriptor 2
closed, and then opening a file and seeing what fd it gets.

Linux 2.2.16    RedHat AXP              Not vulnerable (thanks fets)
Linux 2.5.6     Debian `Woody'          Not vulnerable
Linux 2.4.18    Debian `Potato'         Not vulnerable
OpenBSD 2.9                             Not vulnerable (thanks dim)
OpenBSD 3.0                             Not vulnerable (thanks sateh)
OpenBSD 3.1                             Not vulnerable (thanks dim)
OS X 10.1.4                             Not vulnerable (thanks sateh)
NetBSD 1.4.2                            Not vulnerable (thanks bounce)
Solaris 2.5.1-2.5.8                     Vulnerable

Code on http://ds9a.nl/setuid-fd-2.tar.gz 

For further tests, 'outer' might try to exhaust *all* available
filedescriptors except 0, 1 or 2. This is left as an exercise for the
reader, or maybe we will beat you to it. 

The trick is to leave enough fd's available for ld.so.

Regards,

bert

-- 
http://www.PowerDNS.com/pdns   Try our new database driven nameserver!
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]