FreeBSD bug grants local root access (FreeBSD 6.x)

> utisoft@... writes:
>
>> It appears to only affect 6.x.... and requires local access. If an
>> attacker has local access to a machine you're screwed anyway.
>
> No, the thing you're screwed anyway by is local *physical* access. Merely
> running a process as a non-root local user should *not* be a "you're screwed
> anyway" scenario. The fundamental security guarantee of a modern operating
> system is that different principals cannot affect each other's resources
> (user chris cannot read or write user jane's email -- let alone root's
> email). This bug breaks that guarantee, and is definitely not a ho-hum bug.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Palmer wrote:
>> utisoft@... writes:
>>
>>> It appears to only affect 6.x.... and requires local access. If an
>>> attacker has local access to a machine you're screwed anyway.
>>
>> No, the thing you're screwed anyway by is local *physical* access. Merely
>> running a process as a non-root local user should *not* be a "you're screwed
>> anyway" scenario. The fundamental security guarantee of a modern operating
>> system is that different principals cannot affect each other's resources
>> (user chris cannot read or write user jane's email -- let alone root's
>> email). This bug breaks that guarantee, and is definitely not a ho-hum bug.
>
> Exactly.  This type of vulnerability could turn into a serious threat if
> being used with some other vulnerabilities that allows code injection,
> which is worse.
>
> Cheers,
> - --
> Xin LI <delphij@...>    http://www.delphij.net/

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>Frederique Rijsdijk wrote:
> > Hi,
> >
> > Any info on this subject on
> >
> > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/
>
>Currently we (secteam@) are testing the correction patch and do
>peer-review on the security advisory draft, the bug was found and fixed
>on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but was
>not recognized as a security vulnerability at that time.  The exploit
>code has to be executed locally, i.e. either by an untrusted local user,
>or be exploited in conjunction with some remote vulnerability on
>applications that allow the attacker to inject their own code.
>
>We can not release further details about the problem at this time,
>though, but I think we will likely to publish the advisory and
>correction patch this patch Wednesday.

> At 05:08 AM 9/15/2009, Xin LI wrote:
> >Frederique Rijsdijk wrote:
> > > Hi,
> > >
> > > Any info on this subject on
> > >
> > > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/
> >
> >Currently we (secteam@) are testing the correction patch and do
> >peer-review on the security advisory draft, the bug was found and fixed
> >on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but was
> >not recognized as a security vulnerability at that time.  The exploit
> >code has to be executed locally, i.e. either by an untrusted local user,
> >or be exploited in conjunction with some remote vulnerability on
> >applications that allow the attacker to inject their own code.
> >
> >We can not release further details about the problem at this time,
> >though, but I think we will likely to publish the advisory and
> >correction patch this patch Wednesday.
>
>          Just wondering if there is any update on this issue ?

> On 2009.09.25 08:52:25 -0400, Mike Tancsa wrote:
>> At 05:08 AM 9/15/2009, Xin LI wrote:
>> >Frederique Rijsdijk wrote:
>> > > Hi,
>> > >
>> > > Any info on this subject on
>> > >
>> > > http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/
>> >
>> >Currently we (secteam@) are testing the correction patch and do
>> >peer-review on the security advisory draft, the bug was found and fixed
>> >on -HEAD and 7-STABLE before 7.1-RELEASE during some stress test but was
>> >not recognized as a security vulnerability at that time.  The exploit
>> >code has to be executed locally, i.e. either by an untrusted local user,
>> >or be exploited in conjunction with some remote vulnerability on
>> >applications that allow the attacker to inject their own code.
>> >
>> >We can not release further details about the problem at this time,
>> >though, but I think we will likely to publish the advisory and
>> >correction patch this patch Wednesday.
>>
>>          Just wondering if there is any update on this issue ?
>
> It turned out more difficult to fix than expected and we (secteam)
> didn't handle that as well as we should have, but I think we are
> almost there so the advisory should be out soon - sometime this week
> at the latest.
>
> Sorry about the delay - this should have been fixed by now.
>
> --
> Simon L. Nielsen
> FreeBSD Deputy Security Officer