BSD f_count Wrapped Count Arbitrary Privilege Escalation

1985-06-03T00:00:00
ID OSVDB:604
Type osvdb
Reporter OSVDB
Modified 1985-06-03T00:00:00

Description

Vulnerability Description

BSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user creates a trival program to open a file more than 20 times, with forking and repeating. When this program creates more than 20 processes, with each process maxing out at 20 file descriptors, the f_count variable, which is a char data type, will wrap back to 0 and start to increase again. If a malicious user can set f_count to exactly 0 and then open a read only file, he or she can enable write access on other descriptors. This flaw can also be timed with the execution of a setuid binary, to steal its file descriptors. This will permit write access to both files and directories. This flaw may lead to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: change the data types for f_count and i_count from char to short.

Short Description

BSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user creates a trival program to open a file more than 20 times, with forking and repeating. When this program creates more than 20 processes, with each process maxing out at 20 file descriptors, the f_count variable, which is a char data type, will wrap back to 0 and start to increase again. If a malicious user can set f_count to exactly 0 and then open a read only file, he or she can enable write access on other descriptors. This flaw can also be timed with the execution of a setuid binary, to steal its file descriptors. This will permit write access to both files and directories. This flaw may lead to a loss of integrity.

References:

Mail List Post: http://securitydigest.org/unix/archive/017