OpenBSD kernel fails to properly check closed file descriptors "0-2" when running setuid program

2002-05-24T00:00:00
ID VU:314963
Type cert
Reporter CERT
Modified 2002-12-12T00:00:00

Description

Overview

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. Other OS kernels may be vulnerable as well.

Description

The OpenBSD kernel does not adequately check file descriptors 0-2 prior to exec()ing setuid binaries. As a result, an attacker may be able to gain elevated privileges.


Impact

A local attacker can gain root privileges.


Solution

Apply a patch from your vendor.

OpenBSD patches are available from:

OpenBSD Patch 026_fdalloc2.patch:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/026_fdalloc2.patch>

OpenBSD 3.0:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch>

OpenBSD 3.1:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/003_fdalloc2.patch>


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
OpenBSD| | -| 16 May 2002
The SCO Group| | 09 May 2002| 12 Dec 2002
Apple Computer Inc.| | 09 May 2002| 15 May 2002
Cray Inc.| | 09 May 2002| 15 May 2002
FreeBSD| | 09 May 2002| 15 May 2002
Hewlett-Packard Company| | 09 May 2002| 15 May 2002
IBM| | 09 May 2002| 16 May 2002
SGI| | 09 May 2002| 15 May 2002
BSDI| | 09 May 2002| 15 May 2002
Cisco Systems Inc.| | 10 May 2002| 15 May 2002
Compaq Computer Corporation| | 09 May 2002| 15 May 2002
Data General| | 09 May 2002| 15 May 2002
Debian| | 09 May 2002| 15 May 2002
Fujitsu| | 09 May 2002| 10 May 2002
Guardian Digital Inc. | | 09 May 2002| 15 May 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.dmpfrance.com/fd_openbsd.c>
  • <http://www.securityfocus.com/bid/4708>
  • <http://www.openbsd.org/errata.html#fdalloc2>
  • <http://www.openbsd.org/errata30.html#fdalloc2>

Credit

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 May 2002
  • Date First Published: 24 May 2002
  • Date Last Updated: 12 Dec 2002
  • Severity Metric: 29.53
  • Document Revision: 24