Unzuthorized file access via file stdio decriptors in *BSD
updated since 22.04.02
Published: 10.12.02
Source: SECURITEAM
Type: client
Level: 9
Description: By exhausting all file descriptors and closing stderr it's possible to causesituation called application will open new file with descriptor 2 and all stderr output will be redirected to file.
Affected products:
OPENBSD:OpenBSD 3.1
OPENBSD:OpenBSD 3.0
OPENBSD:OpenBSD 2.9
FREEBSD:FreeBSD 4.5
SCO:UnixWare 7.1
SCO:Open UNIX 8.0
FREEBSD:FreeBSD 5.0
Original text:
SECURITEAM, [UNIX] Suid Application Execution May Give Local Root http://www.security.nnov.ru/search/document.asp?docid=2823
Patrick Oonk, Pine Internet Advisory: Setuid application execution may give local root in FreeBSD file://localhost/search/document.asp?docid=2826
FREEBSD, Security Advisory FreeBSD-SA-02:23.stdio
fozzy_@_dmpfrance.com, OpenBSD local DoS and root exploit
CALDERA, Security Update: [CSSA-2002-SCO.43] UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
Related files:
stdio kernel bug in All releases of FreeBSD http://www.security.nnov.ru/files/iosmash.c
Proof Of Concept exploit for the Freebsd file descriptors bug http://www.security.nnov.ru/files/iosmash2.c
Discuss
|