The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of FreeBSD, HP-UX, Solaris, Tru64 UNIX: privilege elevation via stdio

Synthesis of the vulnerability 

By using file descriptors, a local attacker can elevate his privileges via suid or sgid programs.
Impacted products: FreeBSD, Tru64 UNIX, HP-UX, Solaris, Trusted Solaris.
Severity of this bulletin: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 23/04/2002.
Revisions dates: 25/04/2002, 31/07/2002, 01/08/2002, 20/08/2002, 21/08/2002, 18/03/2003, 19/01/2007, 22/01/2007.
Références of this threat: BID-4568, BID-7132, CERTA-2002-AVI-167, Compaq SSRT0845, CVE-2002-0572, CVE-2002-0820, CVE-2007-0392, CVE-2007-0393, CVE-2007-0394, FreeBSD-SA-02:23, FreeBSD-SA-02:23.stdio, M-072, PINE-CERT-20020401, SSRT0845, V6-FBSTDIOSUIDCLOSE, VIGILANCE-VUL-2493, VU#809347.

Description of the vulnerability 

File descriptors for input/output are generally:
 - 0 for standard input
 - 1 for standard output
 - 2 for error output

When user requests a descriptor, system returns the first available. For example, if:
 - 0 is input,
 - 1 and 2 are output
 - 3 is /tmp/f file
the next file descriptor will be 4.

However, if a program is called with standard descriptors closed, system will reassociate them with newly opened descriptors.

The suid keyinit program, which generates S/Key keys, is vulnerable. Indeed, keyinit contains (simplifed):
  fd=open("/etc/fileofroot", etc.);
  if (erreur) fprintf(stderr, "%s: error in this program\n", argv[0]);
So, if an attacker previously closes descriptor 2 (which corresponds to stderr), fd receives 2, and the error message is writen in /etc/fileofroot. This file will then be corrupted by:
  "program name(argv[0]) : error in this program" [severity:2/4]

This vulnerability therefore permits a local attacker to alter behavior of programs in order for example to corrupt files and to elevate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat impacts software or systems such as FreeBSD, Tru64 UNIX, HP-UX, Solaris, Trusted Solaris.

Our Vigil@nce team determined that the severity of this computer threat is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 5 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity bulletin.

Solutions for this threat 

FreeBSD : patch pour stdio.
Un patch était disponible, mais il ne corrigeait pas le système si procfs ou linprocfs est employé :
De nouveaux patchs le remplacent :
 - FreeBSD < 4.5-RELEASE-p4 et < 4.4-RELEASE-p11
 - FreeBSD >= 4.5-RELEASE-p4 ou >= 4.4-RELEASE-p11 ou 4.6-RELEASE

Tru64 UNIX : ERP pour stdio.
Des ERP sont disponibles :
 HP Tru64 UNIX/TruCluster Server 5.1A (PK3 BL3)
 HP Tru64 UNIX/TruCluster Server 5.1 (PK6 BL20)
 HP Tru64 UNIX/TruCluster Server 5.1 (PK5 BL19)
 HP Tru64 UNIX/TruCluster Server 5.0A (PK3 BL17)
 HP Tru64 UNIX/TruCluster Server 4.0G (PK3 BL17)
 HP Tru64 UNIX/TruCluster Server 4.0F (PK7 BL18)
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.