FreeBSD inetd wheel Group File Read Vulnerability
BID:2324
Info
FreeBSD inetd wheel Group File Read Vulnerability
| Bugtraq ID: | 2324 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 29 2001 12:00AM |
| Updated: | Jan 29 2001 12:00AM |
| Credit: | This vulnerability was discovered by dynamo <[email protected]>, and announced to Bugtraq in a FreeBSD Security Advisory on January 29, 2001. |
| Vulnerable: |
FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 3.5.1 FreeBSD FreeBSD 3.5 |
| Not Vulnerable: | |
Discussion
FreeBSD inetd wheel Group File Read Vulnerability
inetd is the superserver of internet services, included with most implementations of the UNIX Operating System. FreeBSD is a freely available, open source implementation of UNIX.
A problem in the implementation of inetd as distributed with FreeBSD could allow access to restricted resources. Due to the design of the inetd package, inetd incorrectly sets group privileges on child processes, depending on the user. When an ident request is received, the identd process is started by inetd, inheriting group privileges of wheel, the root group. Upon generating a custom crafted request to the identd process, it is possible to manipulate the process into reading the first 16 bytes of any wheel readable file.
This flaw makes it possible for a user with malicious motives to read the first 16 bytes of sensitive files, potentially accessing the first entry of the encrypted password file, and gaining access to or elevated privileges on the local host.
inetd is the superserver of internet services, included with most implementations of the UNIX Operating System. FreeBSD is a freely available, open source implementation of UNIX.
A problem in the implementation of inetd as distributed with FreeBSD could allow access to restricted resources. Due to the design of the inetd package, inetd incorrectly sets group privileges on child processes, depending on the user. When an ident request is received, the identd process is started by inetd, inheriting group privileges of wheel, the root group. Upon generating a custom crafted request to the identd process, it is possible to manipulate the process into reading the first 16 bytes of any wheel readable file.
This flaw makes it possible for a user with malicious motives to read the first 16 bytes of sensitive files, potentially accessing the first entry of the encrypted password file, and gaining access to or elevated privileges on the local host.
Exploit / POC
FreeBSD inetd wheel Group File Read Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
FreeBSD inetd wheel Group File Read Vulnerability
Solution:
A patch is available:
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2
Solution:
A patch is available:
FreeBSD FreeBSD 3.5
-
FreeBSD 3.5.1 inetd-3.5.1.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.pa tch
FreeBSD FreeBSD 3.5.1
-
FreeBSD 3.5.1 inetd-3.5.1.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.pa tch
FreeBSD FreeBSD 4.1.1
-
FreeBSD 4.2 inetd-4.2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patc h
FreeBSD FreeBSD 4.2
-
FreeBSD 4.2 inetd-4.2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patc h
References
FreeBSD inetd wheel Group File Read Vulnerability
References:
References: