Contributed by jose on from the class-of-bugs dept.
Pine Digital Security Advisory Advisory ID : PINE-CERT-20040201 (CAN-2004-0114) Authors : Joost Pol Vendor Informed : 2004-02-01 Issue date : 2004-02-05 Application : kernel / sysv shared memory Platforms : FreeBSD, NetBSD and OpenBSD Availability : http://www.pine.nl/press/pine-cert-20040201.txt Synopsis While gathering material for a security training Pine Digital Security encountered a reference count overflow condition which could lead to privilege escalation. Versions Vulnerable versions include: FreeBSD >= 2.2.0, NetBSD >= 1.3 and OpenBSD >= 2.6 Impact Serious. Local users can elevate their privileges. Description The shmat(2) function maps a shared memory segment, previously created with the shmget(2) function, into the address space of the calling process.
UPDATE: Patches are out for 3.4-stable and 3.3-stable .
Here is the mail from security-announce:
Date: Thu, 05 Feb 2004 16:35:48 -0700 From: Todd C. MillerTo: security-announce@openbsd.org Subject: Reference counting bug in shmat(2) A reference counting bug exists in the shmat(2) system call that could be used by an attacker to write to kernel memory under certain circumstances. The bug, found by Joost Pol, could be used to gain elevated privileges and has been successfully exploited under FreeBSD. Patches for OpenBSD 3.4 and 3.3 respectively are also available: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch The patch is already present in OpenBSD-current as well as in the 3.3 and 3.4 -stable branches. For more information on the bug, see Joost Pol's description at: http://www.pine.nl/press/pine-cert-20040201.txt
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Apply by doing:
cd /usr/src
patch -p0 <010_sysvshm.patch
And then rebuild your kernel. 010_sysvshm.patch
Comments
By Anonymous Coward () on
The FAQ says
make obj && make depend && make
but make obj fails.
Just plain 'make' doesn't actually seem to build anything. The command prompt returns in a second or so with no feedback.
Comments
By tedu () on
Comments
By Anonymous Coward () on
I was looking at the patch faq, but that appears to be for apps, mostly.
By Christian () on www.cschwede.de
If you need binary patches for OBSD 3.4/i386 have a look at my site.
Cheers, Christian.
By Jason Wong () annoyed@eudoramail.com on mailto:annoyed@eudoramail.com
Instead of:
if (error)
the sys/kern/sysv_shm.c file for 3.2 has:
if (rv != KERN_SUCCESS) {
return ENOMEM;
}
Any suggestions? Unfortunately, I'm not a kernel hacker...
Comments
By Colin Percival () cperciva@daemonology.net on http://www.daemonology.net
uao_detach(shm_handle->shm_object);
just before "return ENOMEM;".