lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Jan 2007 08:04:57 +1100
From: Peter Jeremy <>
To: XFOCUS Security Team <>
Subject: Re: Multiple OS kernel  insecure handling of stdio file descriptor

On 2007-Jan-18 22:21:52 +0800, XFOCUS Security Team <> wrote:
>The affected OSes allows local users to write to or read from restricted
>files by closing the file descriptors 0 (standard input), 1 (standard
>output), or 2 (standard error), which may then be reused by a called
>setuid process that intended to perform I/O on normal files. the attack
>which exploit this vulnerability possibly get root right.

This vulnerability has been known for years.  OpenBSD implemented a
kernel check to block this attack in 1998.  FreeBSD and NetBSD have
similar kernel checks and I believe glibc also has checks to block
this.  It is disturbing that none of the commercial OS vendors appear
to have bothered to protect against this.

Peter Jeremy

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists