发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:22:10

[原文]FreeBSD kernel 4.6 and earlier closes the file descriptors 0, 1, and 2 after they have already been assigned to /dev/null when the descriptors reference procfs or linprocfs, which could allow local users to reuse the file descriptors in a setuid or setgid program to modify critical data and gain privileges.

[CNNVD]FreeBSD kernel漏洞(CNNVD-200208-047)

        FreeBSD kernel 4.6及之前版本在文件标识符0,1,2引用procfs或者linprocfs时,将这些描述符分配给/dev/null后就关闭文件这些描述符。本地用户可以利用该漏洞重用setuid或者setgid程序中的文件描述符来修改关键数据并获取特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  VULNWATCH  20020731 [VulnWatch] FreeBSD <=4.6 kernel problems, yet Linux and *BSD much better than Windows
(UNKNOWN)  BUGTRAQ  20020819 Freebsd FD exploit

- 漏洞信息

FreeBSD kernel漏洞
高危 未知
2002-08-12 00:00:00 2010-12-02 00:00:00
        FreeBSD kernel 4.6及之前版本在文件标识符0,1,2引用procfs或者linprocfs时,将这些描述符分配给/dev/null后就关闭文件这些描述符。本地用户可以利用该漏洞重用setuid或者setgid程序中的文件描述符来修改关键数据并获取特权。

- 公告与补丁


- 漏洞信息

FreeBSD Kernel /dev/null File Descriptor Handling Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the FreeBSD kernel allows a malicious user to direcly supply input to file descriptors during the execution of a setuid or setgid program. This flaw may lead to a loss of integrity.

- 时间线

2002-07-31 Unknow
2002-08-19 Unknow

- 解决方案

Upgrade to version 4.6-STABLE; or to any of the RELENG_4_6 (4.6.1-RELEASE-p1), RELENG_4_5 (4.5-RELEASE-p10), or RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the respective correction dates, as it has been reported to fix this vulnerability. In addition, FreeBSD has released patches for some older versions. It is also possible to correct the flaw by implementing the following workarounds: remove the setuid bit from exploitable programs and unmount all instances of the procfs and linprocfs filesystems.

- 相关参考

- 漏洞作者