Concerning possible bugs in the 'inn' package

Russ Allbery rra at stanford.edu
Thu Sep 1 20:32:47 UTC 2005


Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:

> The specific type of bug which we have found stems from the standard
> file descriptors (FDs) on a Unix system. Typically, when a process is
> started, FD 0, 1 and 2 are set to standard in, standard out, and
> standard error respectively. Subsequent uses of input and output
> functions--such as printf--will read or write from one of these three
> descriptors. Customarily, a program starts with its standard file
> descriptors opened to terminal devices. However, since the kernel does
> not enforce this convention, an attacker can force a standard file
> descriptor of a victim program to be opened to a sensitive file, so that
> he may discover confidential information from the sensitive file or
> modify the sensitive file.

It makes no sense to me that this would have security implications.  Could
you explain a little bit more?  The attacker has to have access to open
the file in the first place in order to redirect output from an
application to that file, and if they have access to open the file in the
first place, they can just read the file or write to the file themselves.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list