|
Details Date: Thu, 23 Oct 1997 10:04:42 -0500 From: Aleph One <aleph1@dfw.net> To: BUGTRAQ@NETSPACE.ORG Subject: Possible SERIOUS bug in open()? [ This affects {Free,Net,Open}BSD. Joerg Wunsch fixed it yesterday in freebsd-current. - a1 ] ---------- Forwarded message ---------- Date: 17 Oct 1997 10:42:13 -0000 From: explorer@flame.org To: best-of-security@cyber.com.au Subject: BoS: Possible SERIOUS bug in open()? This was sent to me recently... It seems to be a pretty serious hole in open() and permissions... Note, in the following, open() succeeds, and ioctls are probably executed... /* * This will give you a file descriptor on a device you should not have * access to. This seems really, really screwed up, since holding a fd * lets you do a lot of ioctls that you should not be able to do... */ #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <err.h> int main(int argc, char **argv) { int fd; fd = open("/dev/rsd0a", -1, 0); if (fd < 0) err(1, "open"); } From aleph1@DFW.NET Sat Nov 15 18:24:01 1997 Date: Wed, 29 Oct 1997 17:36:46 -0600 From: Aleph One To: BUGTRAQ@NETSPACE.ORG Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open X-Premail-Auth: Key matching expected Key ID 73D288A5 not found ---------- Forwarded message ---------- Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET) From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-97:05 Security Advisory FreeBSD, Inc. Topic: security compromise via ffb open() Category: core Module: kern Announced: 1997-10-29 Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current Corrected: FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14) FreeBSD-stable as of 1997/10/24 FreeBSD 2.1-stable as of 1997/10/29 FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:05/ ============================================================================= I. Background In FreeBSD, the open() system call is used in normal file operations. When calling open(), the caller should specify if the file is to be opened for reading, for writing or for both. The right to reading from and/or writing to a file is controlled by the file's mode bits in the filesystem. In FreeBSD, open() is also used to obtain the right to do privileged io instructions. II. Problem Description A problem exists in the open() syscall that allows processes to obtain a valid file descriptor without having read or write permissions on the file being opened. This is normally not a problem. The FreeBSD way of obtaining the right to do io instructions however, is based on the right to open a specific file (/dev/io). III. Impact The problem can be used by any user on the system to do unauthorised io instructions. IV. Workaround No workaround is available. V. Solution Apply the following patches. The first one in /usr/src/sys/kern, and the second one in /usr/src/sys/i386/i386, Rebuild your kernel, install it and reboot your system. patch 1: For FreeBSD-current before 1997/10/23: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.76 retrieving revision 1.77 diff -u -r1.76 -r1.77 --- vfs_syscalls.c 1997/10/12 20:24:27 1.76 +++ vfs_syscalls.c 1997/10/22 07:28:51 1.77 @@ -863,11 +863,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(SCARG(uap, flags)); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(SCARG(uap, flags)); cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ For FreeBSD 2.1.* and 2.2.*: Index: vfs_syscalls.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.5 diff -u -r1.51.2.5 vfs_syscalls.c --- vfs_syscalls.c 1997/10/01 06:23:48 1.51.2.5 +++ vfs_syscalls.c 1997/10/28 22:04:43 @@ -688,11 +688,13 @@ struct flock lf; struct nameidata nd; + flags = FFLAGS(uap->flags); + if ((flags & FREAD + FWRITE) == 0) + return (EINVAL); error = falloc(p, &nfp, &indx); if (error) return (error); fp = nfp; - flags = FFLAGS(uap->flags); cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ patch 2: For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14: Index: mem.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v retrieving revision 1.38 retrieving revision 1.38.2.1 diff -u -r1.38 -r1.38.2.1 --- mem.c 1996/09/27 13:25:06 1.38 +++ mem.c 1997/10/23 22:14:24 1.38.2.1 @@ -169,6 +169,7 @@ int fmt; b32 struct proc *p; { + int error; struct trapframe *fp; switch (minor(dev)) { @@ -179,6 +180,11 @@ return ENODEV; #endif case 14: + error = suser(p->p_ucred, &p->p_acflag); + if (error != 0) + return (error); + if (securelevel > 0) + return (EPERM); fp = (struct trapframe *)curproc->p_md.md_regs; fp->tf_eflags |= PSL_IOPL; break; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX skpX4qluhBM= =47P3 -----END PGP SIGNATURE-----