__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          FreeBSD Signal Handling Flaw
                    [FreeBSD, Inc. Security Advisory 01:42]

July 10, 2001 22:00 GMT                                           Number L-111
______________________________________________________________________________
PROBLEM:       A flaw exists in FreeBSD signal handling clearing that allows 
               some signals handlers to remain in effect in child processes 
PLATFORM:      All versions of 4.x prior to correction date including 
               4.3-RELEASE 
DAMAGE:        An attacker can execute arbitrary code 
SOLUTION:      Apply the appropriate patch or upgrade system as described 
               below 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM: A local attacker could gain root access by 
ASSESSMENT:    executing code in a setuid context 
______________________________________________________________________________

[******  Start FreeBSD Bulletin ******]

FreeBSD-SA-01:42                  Security Advisory
                                     FreeBSD, Inc.

Topic:          signal handling during exec may allow local root
                compromise

Category:       core
Module:         kernel
Announced:      2001-07-10
Credits:        Georgi Guninski <guninski@guninski.com>
Affects:        All released versions of FreeBSD 4.x,
                FreeBSD 4.3-STABLE prior to the correction date.
Corrected:      2001-07-09
FreeBSD only:   Yes

I.   Background

When a process forks, it inherits the parent's signals.  When the
process execs, the kernel clears the signal handlers because they are
not valid in the new address space.

II.  Problem Description

A flaw exists in FreeBSD signal handler clearing that would allow for
some signal handlers to remain in effect after the exec.  Most of the
signals were cleared, but some signal hanlders were not.  This allowed
an attacker to execute arbitrary code in the context of a setuid
binary.

All versions of 4.x prior to the correction date including and
4.3-RELEASE are vulnerable to this problem.  The problem has been
corrected by copying the inherited signal handlers and resetting the
signals instead of sharing the signal handlers.

III. Impact

Local users may be able to gain increased privileges on the local
system.

IV.  Workaround

Do not allow untrusted users to gain access to the local system.

V.   Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
correction date.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

[FreeBSD 4.1, 4.2, and 4.3 base systems]

This patch has been verified to apply to FreeBSD 4.1, 4.2, and 4.3 only.
It may or may not apply to older releases.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src/sys/kern
# patch -p < /path/to/patch

[ Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system ] 

[******  End FreeBSD Bulletin ******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of FreeBSD, Inc for the information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-100: FrontPage Sub-Component Vulnerability
L-101: Microsoft LDAP Over SSL Password Vulnerability
L-102: HP OpenView Network Node Manager Security Vulnerability
L-103: Sun ypbind Buffer Overflow Vulnerability
L-104: SuSE Linux, xinetd Buffer Overflow
L-105: Samba Security Vulnerability
L-106: Cisco IOS HTTP Authorization Vulnerability
L-107: Microsoft Authentication Error in SMTP Service
L-108: Oracle 8i TNS Listener Vulnerability
L-110: HP Open View Event Correlation Services Vulnerability