security risk: ktrace(2) in FreeBSD prior to -current.
From: Darren Reed (avalon@coombs.anu.edu.au)
Date: 06/30/02
- Next message: Alessandro de Manzano: "Re: named 8.3.2-T1B vulnerable?"
- Previous message: Jeff Ito: "Re: named 8.3.2-T1B vulnerable?"
- Next in thread: Dag-Erling Smorgrav: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Reply: Dag-Erling Smorgrav: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Maybe reply: D J Hawkey Jr: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Darren Reed <avalon@coombs.anu.edu.au> To: security@freebsd.org Date: Mon, 1 Jul 2002 04:17:22 +1000 (Australia/ACT)
The bug in ktrace(2) is present in all FreeBSD's that don't have
p_candebug() in the kernel. In short, this is 4-stable, etc.
What's the risk ?
With OpenSSH 3.4, ssh-keysign gets installed setuid-root.
Using the ktrace(2) bug, you can ktrace the ssh-keysign process
after it resets its uid's and watch it read your ssh host keys,
be they RSA or DSA.
I'm working on a patch for FreeBSD that doesn't break either FreeBSD
or ktrace(2) working the way it should.
In the meantime:
chmod 555 `which ssh-keysign`
Darren
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Alessandro de Manzano: "Re: named 8.3.2-T1B vulnerable?"
- Previous message: Jeff Ito: "Re: named 8.3.2-T1B vulnerable?"
- Next in thread: Dag-Erling Smorgrav: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Reply: Dag-Erling Smorgrav: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Maybe reply: D J Hawkey Jr: "Re: security risk: ktrace(2) in FreeBSD prior to -current."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
