# FreeBSD bug grants local root access



## DutchDaemon (Sep 14, 2009)

> A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems.
> 
> The bug in FreeBSD's kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, Przemyslaw Frasunek, an independent security consultant in Poland, told The Register. It affects *versions 6.0 through 6.4* of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation.
> 
> Versions *7.1 and beyond* are not vulnerable.



More:
http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/


----------



## anomie (Sep 14, 2009)

Ouch. Good thing all my services / users are in jails. (BTW, it's pretty annoying that the exploit is posted as a _video_. Now I have to get out my Ubuntu laptop.) 

Let's see what the official fix or workaround looks like -- once it's actually confirmed.


----------



## DutchDaemon (Sep 14, 2009)

This is basically it (the content of the video): http://i26.tinypic.com/3324ih5.png


----------



## anomie (Sep 14, 2009)

Thanks. I just got done watching the vid, too. 

Call me skeptical until this gets confirmed. No source code, nothing.


----------



## DutchDaemon (Sep 14, 2009)

Apparently, the exploit was reported on Aug 29, but no response from the FreeBSD Security Team/Officer yet. 

It's quite common to publish the existence and POC of an exploit but to keep the actual exploit under wraps until a fix has been made available.


----------



## fronclynne (Sep 14, 2009)

There's a thread about this on the freebsd-questions@ mailing list.  Thanks to good journalism (obviously taught at a reputable school), our intrepid reporter asked (emphasis mine, btw)


> Dan Goodin, a reporter at technology news website The Register.  Security researcher Przemyslaw Frasunek says [red]versions[/red] 6.x through 6.4 of FreeBSD [red]has[/red] a security bug.  He says he notified the FreeBSD Foundation on August 29 and never got a response.  We'll be writing a brief article about this. Please let me know ASAP if someone cares to comment.


And then, without waiting for any responses, wrote the story.

I don't know why a "security researcher" would report a bug to the FreeBSD Foundation.

Also, Przemyslaw Frasunek does know how to use the PR system, since he has filed 3 in the last decade (that I could find).  The last one was in 2008.

Anyway, I'm sure if he gets serious we'll learn more.


----------



## Alt (Sep 15, 2009)

Bad news =(


----------



## DutchDaemon (Sep 15, 2009)

See http://forums.freebsd.org/showthread.php?p=41345 for FreeBSD 7.2 exploit.


----------



## vermaden (Sep 15, 2009)

> _Frasunek said he notified FreeBSD officials on August 29 and has yet to get a response. Robert Watson, a FreeBSD Core Team member, told El Reg that it appeared the email had gotten "lost in the slew" and he expected an advisory to be issued soon._



Propably it will be fixed a lot sooner, at least if mail was not _"lost in the slew"_


----------



## anomie (Sep 15, 2009)

I have one jail in particular that I'm a little concerned about. Since no one _needs_ to be compiling anything there, my temporary precaution is: 

```
# chmod go-rx /usr/bin/cc
```

(note that cc and gcc are the same inode; what you do to one you do to the other)

So we wait and see if this person coughs up the real proof next.


----------



## bb (Sep 16, 2009)

> # chmod go-rx /usr/bin/cc



Why should one loose time and compile the program on your system. If I can bring a source file onto your system, I can bring the binary as well.


----------



## vermaden (Sep 16, 2009)

@anomie

Taking this security issue aside, you can also build trimmed down jails using /etc/src.conf options, and for example exclude gcc and all compiler tools.


----------



## anomie (Sep 16, 2009)

@vermaden: Thanks -- that is a good idea. I should have adopted it as a best practice long ago.


----------



## vermaden (Sep 16, 2009)

You are welcome mate.

At your place I would also check *ezjail* from ports:
http://erdgeist.org/arts/software/ezjail/


----------

