Multiple BSD exec Race Condition Process Debugger Privilege Escalation

2002-01-16T00:00:00
ID OSVDB:19475
Type osvdb
Reporter Dag-Erling Smørgrav(des@FreeBSD.org), Logan Gabriel(gersh@sonn.com), Robert Watson(rwatson@FreeBSD.org)
Modified 2002-01-16T00:00:00

Description

Vulnerability Description

Multiple BSD operating systems contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user causes a process to exec a setuid binary, while gaining ptrace control over it by using a debugger. The control lasts only for a short period of time before the process is activated. During this window of time, the ptrace controller process can modify the address space of the controlled process and abuse its elevated privileges. This flaw may lead to a loss of integrity.

Solution Description

Upgrade to FreeBSD 4.4-STABLE, or the RELENG_4_3 or RELENG_4_4 security branch, dated after the respective correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released patches to address this vulnerability.

Upgrade to NetBSD 1.4.4 or higher or 1.5.3 or higher, as it has been reported to fix this vulnerability. In addition, NetBSD has released patches to address this vulnerability.

Upgrade to OpenBSD 3.1 or higher, as it has been reported to fix this vulnerability. In addition, OpenBSD has released a patch to address this vulnerability.

Short Description

Multiple BSD operating systems contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user causes a process to exec a setuid binary, while gaining ptrace control over it by using a debugger. The control lasts only for a short period of time before the process is activated. During this window of time, the ptrace controller process can modify the address space of the controlled process and abuse its elevated privileges. This flaw may lead to a loss of integrity.

References:

Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/012_ptrace.patch Vendor Specific Solution URL: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch Vendor Specific Solution URL: ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL ISS X-Force ID: 7945 CVE-2002-2092 Bugtraq ID: 3891