Re: Multiple OS kernel insecure handling of stdio file descriptor

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Multiple OS kernel insecure handling of stdio file descriptor
From: Carson Gaspar <carson@xxxxxxxxxx>
Date: Sat, 20 Jan 2007 10:35:10 -0800
In-reply-to: <20070118210457.GN32450@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45AF8280.4090600@xxxxxxxxxx> <20070118210457.GN32450@xxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 Thunderbird/2.0b1pre Mnenhy/0.7.4.0

Peter Jeremy wrote:

On 2007-Jan-18 22:21:52 +0800, XFOCUS Security Team <security@xxxxxxxxxx> wrote:

The affected OSes allows local users to write to or read from restricted
files by closing the file descriptors 0 (standard input), 1 (standard
output), or 2 (standard error), which may then be reused by a called
setuid process that intended to perform I/O on normal files. the attack
which exploit this vulnerability possibly get root right.


This vulnerability has been known for years.  OpenBSD implemented a
kernel check to block this attack in 1998.  FreeBSD and NetBSD have
similar kernel checks and I believe glibc also has checks to block
this.  It is disturbing that none of the commercial OS vendors appear
to have bothered to protect against this.

Of course the _real_ problem is the badly written setuid app. Kernelchecks for "special" fds are just a condom to try and protect againstbroken code. Not that such checks aren't a good idea (since so much codeis so very broken), but any app that is vulnerable to this attack needsto be patched.

You'll note that the original advisory fails to specify any setuid appsthat are vulnerable to this attack, other than their broken POC. *yawn*


--
Carson

References:
- Multiple OS kernel insecure handling of stdio file descriptor
  - From: XFOCUS Security Team
- Re: Multiple OS kernel insecure handling of stdio file descriptor
  - From: Peter Jeremy

Prev by Date: Re: SMF "index.php?action=pm" Cross Site-Scripting
Next by Date: FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability
Previous by thread: Re: Multiple OS kernel insecure handling of stdio file descriptor
Next by thread: Re: Multiple OS kernel insecure handling of stdio file descriptor
Index(es):
- Date
- Thread