FreeBSD bug grants local root access

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer
A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems.

The bug in FreeBSD's kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, Przemyslaw Frasunek, an independent security consultant in Poland, told The Register. It affects versions 6.0 through 6.4 of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation.

Versions 7.1 and beyond are not vulnerable.

More:
http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/
 
Ouch. Good thing all my services / users are in jails. (BTW, it's pretty annoying that the exploit is posted as a video. Now I have to get out my Ubuntu laptop.)

Let's see what the official fix or workaround looks like -- once it's actually confirmed.
 
Thanks. I just got done watching the vid, too.

Call me skeptical until this gets confirmed. No source code, nothing.
 
Apparently, the exploit was reported on Aug 29, but no response from the FreeBSD Security Team/Officer yet.

It's quite common to publish the existence and POC of an exploit but to keep the actual exploit under wraps until a fix has been made available.
 
There's a thread about this on the freebsd-questions@ mailing list. Thanks to good journalism (obviously taught at a reputable school), our intrepid reporter asked (emphasis mine, btw)
Dan Goodin, a reporter at technology news website The Register. Security researcher Przemyslaw Frasunek says [red]versions[/red] 6.x through 6.4 of FreeBSD [red]has[/red] a security bug. He says he notified the FreeBSD Foundation on August 29 and never got a response. We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment.
And then, without waiting for any responses, wrote the story.

I don't know why a "security researcher" would report a bug to the FreeBSD Foundation.

Also, Przemyslaw Frasunek does know how to use the PR system, since he has filed 3 in the last decade (that I could find). The last one was in 2008.

Anyway, I'm sure if he gets serious we'll learn more.
 
Frasunek said he notified FreeBSD officials on August 29 and has yet to get a response. Robert Watson, a FreeBSD Core Team member, told El Reg that it appeared the email had gotten "lost in the slew" and he expected an advisory to be issued soon.

Propably it will be fixed a lot sooner, at least if mail was not "lost in the slew" ;)
 
I have one jail in particular that I'm a little concerned about. Since no one needs to be compiling anything there, my temporary precaution is:
Code:
# chmod go-rx /usr/bin/cc

(note that cc and gcc are the same inode; what you do to one you do to the other)

So we wait and see if this person coughs up the real proof next.
 
# chmod go-rx /usr/bin/cc

Why should one loose time and compile the program on your system. If I can bring a source file onto your system, I can bring the binary as well.
 
@anomie

Taking this security issue aside, you can also build trimmed down jails using /etc/src.conf options, and for example exclude gcc and all compiler tools.
 
Back
Top