------------------------------------------------------------------------------ Soniq Security Advisory David Rufino <dr@soniq.net> Dec 9, 2001 Race Condition in FreeBSD AIO implementation http://elysium.soniq.net/dr/tao/tao.html ------------------------------------------------------------------------------ RISK FACTOR: LOW SYNOPSIS AIO is a POSIX standard for asynchronous I/O. Under certain conditions, scheduled AIO operations persist after an execve, allowing arbitrary overwrites in the memory of the new process. Combined with the permission to execute suid binaries, this can yield elevated priviledges. Currently VFS_AIO is not enabled in the default FreeBSD kernel config, however comments in ``LINT'' suggest security issues have been known about privately for some time: # Use real implementations of the aio_* system calls. There are numerous # stability issues in the current aio code that make it unsuitable for # inclusion on shell boxes. The type of file descriptor used for the AIO operation is important. For instance operations on pipes will not complete fully after an execve, whereas operations on sockets will. It is not known whether AIO operations on hard disk files persist in the desired manner. VULNERABLE SYSTEMS FreeBSD 4-STABLE upto at least 28/10/01 RESOLUTION Currently there are no known patches to remove all security issues. However a patch is available to limit the use of AIO syscalls to root at http://elysium.soniq.net/dr/tao/patch-01 EXPLOIT Given that FreeBSD AIO is not in active use at the moment, I have made available a proof of concept exploit, at http://elysium.soniq.net/dr/tao/tao.c CREDITS Discovery and exploitation was conducted by David Rufino. CONTACT INFORMATION dr+securityfocussucks@soniq.net http://elysium.soniq.net/dr/index.html
