FreeBSD can be compromised locally via signal handlers

2001-09-14T00:00:00
ID VU:943633
Type cert
Reporter CERT
Modified 2002-12-12T00:00:00

Description

Overview

The FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec() on a setuid program. This vulnerability can allow a local attacker to execute arbitrary code as root.

Description

The unix fork() function's purpose is to create a new process from an existing process. The new process is called the child process, and the existing process is called the parent. When a process forks, it inherits the parent's signal handling settings. The unix exec() function's purpose is to replace the current process image with a new process image. After this has occured, the kernel should clear the signal handlers because they are no longer valid. Because the FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec(), an attacker can execute arbitrary code as root.


Impact

An local attacker may be able to execute arbitrary code as root.


Solution

Apply a patch from your vendor or upgrade your operating system to FreeBSD 4.3-STABLE.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
FreeBSD| | 02 Jul 2001| 14 Sep 2001
Cray Inc.| | -| 04 Oct 2001
Hewlett-Packard Company| | 14 Sep 2001| 21 Sep 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc>
  • <http://www.guninski.com/vvfreebsd.html>
  • <http://www.securityfocus.com/bid/3007>

Credit

The CERT Coordination Center thanks Georgi Guninski for discovering this vulnerability and the FreeBSD project for providing a patch to address the vulnerability.

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CVE-2001-1180
  • Date Public: 10 Jul 2001
  • Date First Published: 14 Sep 2001
  • Date Last Updated: 12 Dec 2002
  • Severity Metric: 29.25
  • Document Revision: 30