-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:76 Security Advisory FreeBSD, Inc. Topic: tcsh/csh creates insecure temporary file Category: core, ports Module: tcsh, 44bsd-csh Announced: 2000-11-20 Affects: FreeBSD 4.x, 3.x prior to the correction date. Corrected: 2000-11-04 (FreeBSD 4.1.1-STABLE) 2000-11-05 (FreeBSD 3.5.1-STABLE) 2000-11-09 (44bsd-csh port) 2000-11-19 (tcsh port) Credits: proton FreeBSD only: NO I. Background tcsh is an updated version of the traditional BSD C Shell (csh). Versions of csh and tcsh are included in the FreeBSD ports collection (tcsh, 44bsd-csh) and the FreeBSD base system (csh, tcsh). II. Problem Description The csh and tcsh code creates temporary files when the '<<' operator is used, however these are created insecurely and use a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker. Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with). All versions of FreeBSD prior to the correction date are vulnerable to this problem: the /bin/csh shell included in the base system (which is the same as /bin/tcsh in recent versions) as well as the tcsh (versions prior to 6.09.03_1) and 44bsd-csh ports (versions prior to 44bsd-csh-20001106) in the ports collection. The problems with the base system shells and the 44bsd-csh port were resolved prior to the release of FreeBSD 4.2. The tcsh port was not fixed prior to the release, but the port is disabled in FreeBSD 4.2 since the same software exists in the base system. III. Impact Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in csh or tcsh (e.g. from within a shell script). If you have not installed the tcsh or 44bsd-csh ports on your 4.1.1-STABLE system dated after the correction date, your system is not vulnerable to this problem. IV. Workaround None practical. V. Solution Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.x base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch.asc Verify the detached PGP signature using your PGP utility. cd /usr/src/contrib/tcsh patch -p < /path/to/patch cd /usr/src/bin/csh make depend && make all install [FreeBSD 3.x base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch.asc Verify the detached PGP signature using your PGP utility. cd /usr/src/bin/csh patch -p < /path/to/patch make depend && make all install [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the tcsh/44bsd-csh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [tcsh] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/tcsh-6.09.03_1.tgz [44bsd-csh] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/44bsd-csh-20001106.tgz 3) download a new port skeleton for the tcsh/44bsd-csh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmfAlUuHi5z0oilAQGTBQP/fKPInKBn9a5NZSc5fWPYKdQda2gL1Mji bMaOpF6DiYb9NqKSQdBayq+cf3SI0tqnx0MWDads+Vx6E7zZJ1Eai8zXB0vx37sO vYULKsaK0Gp2wvPfEn0lDUN1l6tn7OQJIXg63i9qF2r/88G2stNbuxG6w++uponc PsehE1pTGQY= =ZAeV -----END PGP SIGNATURE-----