search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

FreeBSD can be compromised locally via signal handlers

Vulnerability Note VU#943633

Original Release Date: 2001-09-14 | Last Revised: 2002-12-12

Overview

The FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec() on a setuid program. This vulnerability can allow a local attacker to execute arbitrary code as root.

Description

The unix fork() function's purpose is to create a new process from an existing process. The new process is called the child process, and the existing process is called the parent. When a process forks, it inherits the parent's signal handling settings. The unix exec() function's purpose is to replace the current process image with a new process image. After this has occured, the kernel should clear the signal handlers because they are no longer valid. Because the FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec(), an attacker can execute arbitrary code as root.

Impact

An local attacker may be able to execute arbitrary code as root.

Solution

Apply a patch from your vendor or upgrade your operating system to FreeBSD 4.3-STABLE.

Vendor Information

943633
 
Expand all

FreeBSD Affected

Notified:  July 02, 2001 Updated: September 14, 2001

Status

Affected

Vendor Statement

Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Not Affected

Updated:  October 04, 2001

Status

Not Affected

Vendor Statement

We did check both unicos and unicos/mk and cray is not vulnerable. On an exec() system call, all registered signals are reset to their defaults.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Not Affected

Notified:  September 14, 2001 Updated: September 21, 2001

Status

Not Affected

Vendor Statement

HP is not vulnerable. Our source code shows that we reset registers, any caught signals, etc., to the default (sig_dfl) on exec. Only pending signals and siginfos, but not the disposition to receive queued signals, are preserved across an exec.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center thanks Georgi Guninski for discovering this vulnerability and the FreeBSD project for providing a patch to address the vulnerability.

This document was written by Ian A. Finlay.

Other Information

CVE IDs: CVE-2001-1180
Severity Metric: 29.25
Date Public: 2001-07-10
Date First Published: 2001-09-14
Date Last Updated: 2002-12-12 18:39 UTC
Document Revision: 30

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis