On current OpenBSD systems, any local user (being or not in
the wheel group) can fill the kernel file descriptors table,
leading to a denial of service. Because of a flaw in the way
the kernel checks closed file descriptors 0-2 when running a
setuid program, it is possible to combine these bugs and earn
root access by winning a race condition.
Since UnixWare does not have a global kernel file descriptors
table (it has per-process dynamic file descriptors table), it
is not prone to the denial of service attack and the race
condition resulting in root exploit.
The second problem, however, does exist - closing file
descriptors 0, 1 and/or 2 before exec'ing a setuid program
can make this program open files under these fds, which have
special meanings for libc (stdin/out/err). Reading or writing
to root-owned files can be made possible, since
stdXX==opened_file.
The fix done for BSD is to check (in the kernel) before
exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
if so redirect them to /dev/null. We have done the same fix
for UnixWare.
This fix will only kick in when an unprivileged process
execs a set[ug]id program.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
3. Solution
The proper solution is to install the latest packages.
This security fix closes SCO incidents sr865063, fz526562,
erg712059.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgements
FozZy <fozzy (at) dmpfrance (dot) com [email concealed]>, et al. discovered and researched
this vulnerability.
________________________________________________________________________
______
SCO Security Advisory
Subject: UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
Advisory number: CSSA-2002-SCO.43
Issue date: 2002 December 09
Cross reference:
________________________________________________________________________
______
1. Problem Description
On current OpenBSD systems, any local user (being or not in
the wheel group) can fill the kernel file descriptors table,
leading to a denial of service. Because of a flaw in the way
the kernel checks closed file descriptors 0-2 when running a
setuid program, it is possible to combine these bugs and earn
root access by winning a race condition.
Since UnixWare does not have a global kernel file descriptors
table (it has per-process dynamic file descriptors table), it
is not prone to the denial of service attack and the race
condition resulting in root exploit.
The second problem, however, does exist - closing file
descriptors 0, 1 and/or 2 before exec'ing a setuid program
can make this program open files under these fds, which have
special meanings for libc (stdin/out/err). Reading or writing
to root-owned files can be made possible, since
stdXX==opened_file.
The fix done for BSD is to check (in the kernel) before
exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
if so redirect them to /dev/null. We have done the same fix
for UnixWare.
This fix will only kick in when an unprivileged process
execs a set[ug]id program.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.1
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
4.2 Verification
MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
*** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.711.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712059.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.711.pkg
5. Open UNIX 8.0.0
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43
5.2 Verification
MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
*** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712059.ou8.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.ou8.pkg
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr865063, fz526562,
erg712059.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgements
FozZy <fozzy (at) dmpfrance (dot) com [email concealed]>, et al. discovered and researched
this vulnerability.
________________________________________________________________________
______
[ reply ]