Overview

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. Other OS kernels may be vulnerable as well.

Description

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. As a result, an attacker may be able to gain elevated privileges.

---

Impact

A local attacker can gain root privileges.

---

Solution

Apply a patch from your vendor.

OpenBSD patches are available from:

OpenBSD Patch 026_fdalloc2.patch:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch&gt;

OpenBSD 3.0:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch&gt;

OpenBSD 3.1:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch&gt;

---

Vendor Information

314963

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

OpenBSD __ Affected

Updated: May 16, 2002

Status

Affected

Vendor Statement

In July of 1998 the OpenBSD kernel was modified to populate file
descriptors 0-2 on exec for setuid (and setgid) processes. This
was done to defeat an attack on setuid programs that open files for
writing and also write to descriptors 0-2 (usually via stdin, stdout
or stderr).

The fix at that time didn’t properly deal with the possibility that
the allocation of the dummy descriptors could fail due to a full
file descriptor table. It has come to our attention that there is
a winnable race condition when the file descriptor table is full,
allowing an fd 0-2 attack to succeed.

Credit for finding this goes to FozZy of Hackademy / Hackerz Voice.
Please see his advisory on bugtraq for more in-depth details.

The following patches are available:

OpenBSD-3.1:
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch&gt;

OpenBSD-3.0:
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch&gt;

OpenBSD-2.9:
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch&gt;

OpenBSD-current as well as the OpenBSD 2.9, 3.0 and 3.1 -stable
branches have already been patched.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

The SCO Group __ Affected

Notified: May 09, 2002 Updated: December 12, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

`Title

`

SCO Security Advisory:
UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
`Detail

______________________________________________________________________________
SCO Security Advisory
Subject:UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability
Advisory number: CSSA-2002-SCO.43
Issue date: 2002 December 09
Cross reference:

---

`

1. Problem Description
On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.
Since UnixWare does not have a global kernel file descriptors table (it has per-process dynamic file descriptors table), it is not prone to the denial of service attack and the race condition resulting in root exploit.
The second problem, however, does exist - closing file descriptors 0, 1 and/or 2 before exec'ing a setuid program can make this program open files under these fds, which have special meanings for libc (stdin/out/err). Reading or writing to root-owned files can be made possible, since stdXX==opened_file.
The fix done for BSD is to check (in the kernel) before exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and if so redirect them to /dev/null. We have done the same fix for UnixWare.
This fix will only kick in when an unprivileged process execs a set[ug]id program.

2. Vulnerable Supported Versions
`SystemBinaries

UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o
`

3. Solution
The proper solution is to install the latest packages.

4. UnixWare 7.1.1
4.1 Location of Fixed Binaries
``<ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43>``

4.2 Verification
MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6
md5 is available for download from ``<ftp://ftp.sco.com/pub/security/tools>``

4.3 Installing Fixed Binaries
*** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.711.pkg.Z to the /var/spool/pkg directory
`# uncompress /var/spool/pkg/erg712059.711.pkg.Z

pkgadd -d /var/spool/pkg/erg712059.711.pkg

`

5. Open UNIX 8.0.0
5.1 Location of Fixed Binaries
``<ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43>``

5.2 Verification
MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca
md5 is available for download from ``<ftp://ftp.sco.com/pub/security/tools>``

5.3 Installing Fixed Binaries
*** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO APPLYING THIS UPDATE.
Upgrade the affected binaries with the following sequence:
Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory
`# uncompress /var/spool/pkg/erg712059.ou8.pkg.Z

pkgadd -d /var/spool/pkg/erg712059.ou8.pkg

`

6. References
Specific references for this advisory:
``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766>``
SCO security resources:
``<http://www.sco.com/support/security/index.html>``
This security fix closes SCO incidents sr865063, fz526562, erg712059.

7. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.

8. Acknowledgements
FozZy <[email protected]>, et al. discovered and researched this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

Mac OS X does not contain this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Cray Inc. __ Not Affected

Notified: May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable since the skey program is not supported in Unicos and Unicos/mk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

FreeBSD __ Not Affected

Notified: May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

We are not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Hewlett-Packard Company __ Not Affected

Notified: May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

HP-UX is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

IBM __ Not Affected

Notified: May 09, 2002 Updated: May 16, 2002

Status

Not Affected

Vendor Statement

IBM’s AIX operating system is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

SGI __ Not Affected

Notified: May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

IRIX is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

BSDI Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Cisco Systems Inc. Unknown

Notified: May 10, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Compaq Computer Corporation Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Data General Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Debian Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Fujitsu Unknown

Notified: May 09, 2002 Updated: May 10, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Guardian Digital Inc. Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

MandrakeSoft Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

NEC Corporation Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

NetBSD Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Nortel Networks Unknown

Notified: May 09, 2002 Updated: May 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Red Hat Inc. Unknown

Notified: May 09, 2002 Updated: May 10, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

SSH Communications Security Unknown

Notified: May 10, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Sequent Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Sony Corporation Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

SuSE Inc. Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Sun Microsystems Inc. Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

Unisys Unknown

Notified: May 09, 2002 Updated: May 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23314963 Feedback>).

View all 26 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.dmpfrance.com/fd_openbsd.c&gt;
• <http://www.securityfocus.com/bid/4708&gt;
• <http://www.openbsd.org/errata.html#fdalloc2&gt;
• <http://www.openbsd.org/errata30.html#fdalloc2&gt;

Acknowledgements

This document was written by Ian A. Finlay.

Other Information

CVE IDs:	None
Severity Metric:	29.53 Date Public: