Fts Libc File Traversal Routines May Let Local Users Cause the Routines to Make Unauthorized Modification to or Removal of Files on the System
|
|
SecurityTracker Alert ID: 1001706 |
|
SecurityTracker URL: http://securitytracker.com/id/1001706
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 8 2001
|
Impact:
Disclosure of system information, Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction date; other OSs may also be affected
|
Description:
FreeBSD announced a race condition vulnerability in the fts routines that are used to traverse a file system that may allow a local user to cause the application using fts to access other parts of the file system.
The fts standard C library (libc) routines are reportedly vulnerable to a race condition when ascending a file hierarchy, which allows a local user that has control over part of the hierarchy into which fts is descending to cause the application to ascend beyond the starting point of the file traversal and enter other parts of the filesystem.
If the fts routines are being used by an application to perform operations on the filesystem (such as a recursive find or rm), the application may cause system damage or unauthorized modification of files.
|
Impact:
A local user may be able to cause files to be removed or modified when another user executes a command that uses the fts routines in a vulnerable manner.
|
Solution:
The vendor has released a fix for FreeBSD. See the Source Message for details on obtaining the fix.
|
Vendor URL: www.freebsd.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 08 Jun 2001 09:54:23 -0400
Subject: FreeBSD-SA-01:40.fts.asc
|
This is a multi-part message in MIME format.
--------------2496D74CF993070D39DD0549
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:40 Security Advisory
FreeBSD, Inc.
Topic: fts(3) routines contain race condition
Category: core
Module: libc
Announced: 2001-06-04
Credits: Nick Cleaton <nick@cleaton.net>
Todd Miller <millert@openbsd.org> helped to develop the
patch.
Affects: FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction
date.
Corrected: 2001-06-01
FreeBSD only: NO
I. Background
The standard C library (libc) contains a set of routines known as fts
which allow an application to recursively traverse a filesystem.
II. Problem Description
The fts routines are vulnerable to a race condition when ascending a
file hierarchy, which allows an attacker who has control over part of
the hierarchy into which fts is descending to cause the application to
ascend beyond the starting point of the file traversal, and enter
other parts of the filesystem.
If the fts routines are being used by an application to perform
operations on the filesystem hierarchy, such as find(1) with a keyword
such as -exec or -delete, or rm(1) with the -r flag, these operations
can be incorrectly applied to files outside the intended hierarchy,
which may result in system damage or compromise.
All versions of FreeBSD prior to the correction date including
4.3-RELEASE are vulnerable to this problem.
III. Impact
Local users may be able to remove or modify files on the local system
which are owned or writable by a user running a command that uses the
FTS routines in a vulnerable way.
If the system administrator has enabled the daily_clean_tmps_enable
variable in /etc/periodic.conf, the find -delete command is run once
per day, allowing unauthorised removal of files on the system. This
option is not enabled by default.
IV. Workaround
None appopriate for the general vulnerability. The instance exposed
by the daily_clean_tmps_enable setting can be prevented by disabling
this switch in /etc/periodic.conf, if it has been enabled.
V. Solution
One of the following:
1) As of FreeBSD 4.3-RELEASE, we have introduced a new ``security fix
CVS branch'' which contains security fixes only, which can be tracked
using the standard FreeBSD tools (cvsup/CVS/etc). The branch name is
``RELENG_4_3''. Upgrade your vulnerable FreeBSD system to the
RELENG_4_3 branch after the correction date.
2) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
correction dates.
3) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
[FreeBSD 4.3 base system]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/lib/libc
# patch -p < /path/to/patch
# make depend && make all install
# cd /usr/src/lib/libc_r
# make depend && make all install
# cd /usr/src/bin/chmod
# make depend && make all install
# cd /usr/src/bin/cp
# make depend && make all install
# cd /usr/src/bin/ls
# make depend && make all install
# cd /usr/src/bin/pax
# make depend && make all install
# cd /usr/src/bin/rm
# make depend && make all install
# cd /usr/src/usr.bin/chflags
# make depend && make all install
# cd /usr/src/usr.bin/du
# make depend && make all install
# cd /usr/src/usr.bin/find
# make depend && make all install
# cd /usr/src/usr.bin/chgrp
# make depend && make all install
# cd /usr/src/libexec/ftpd
# make depend && make all install
# cd /usr/src/usr.sbin/ckdist
# make depend && make all install
# cd /usr/src/usr.sbin/ctm
# make depend && make all install
# cd /usr/src/usr.sbin/mtree
# make depend && make all install
# cd /usr/src/usr.sbin/pkg_install
# make depend && make all install
This patch has been verified to apply to FreeBSD 4.3-RELEASE and
4.2-RELEASE; it may or may not apply to older, unsupported versions of
FreeBSD.
4) An experimental upgrade package is available for adventurous users
who wish to provide testing and feedback on the binary upgrade
process. This package may be installed on FreeBSD 4.3-RELEASE systems
only, and is intended for use on systems for which source patching is
not practical or convenient.
Since this is the first binary upgrade package produced for the
FreeBSD base system, it is not recommended that this be used on
production systems without first being tested on a scratch machine;
since the package replaces critical system files, a failed upgrade can
leave a system in an unusable state.
During the installation procedure, backup copies are made of the files
which are replaced by the package. These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patch state.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz.asc
Verify the detached PGP signature using your PGP utility.
Bring the system down to single-user mode; this package should not be
installed from multi-user mode. If it desired to remove the package
at a later date, you should again do so from single-user mode.
# shutdown now
# pkg_add security-patch-fts-01.40
Follow the directions given after the installation of the package to
complete the system upgrade.
To bring the system back up to multi-user mode, type the following
command:
# exit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOxnJK1UuHi5z0oilAQE6UQQApePYfWA0EeDN/I0wHMekqkv6Df68aAaS
F6anj0DTuXyItyAcAHiD+oen2stYHyPLIvRZ6XfqUVkphDVJxJkcN9ThZmXWbkSS
e/CIBPObKtX95CPg+Jq3wcdfk4MqAP7CUh3KFJsTIsZjAvKKkLJ7NN1JQJZn6e4E
izKW1WiN5uk=
=gGWt
-----END PGP SIGNATURE-----
--------------2496D74CF993070D39DD0549--
|
|
