Date: Wed, 16 Jan 2002 21:11:06 -0500 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2) Message-ID: <5.1.0.14.0.20020116211004.0269d600@192.168.0.12>
next in thread | raw e-mail | index | archive | help
There is mention of other BSDs as well in the advisory below. Was/is this
an old issue for FreeBSD or one that is currently relevant ?
---Mike
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Wed, 16 Jan 2002 13:04:32 -0500
>From: NetBSD Security Officer <security-officer@netbsd.org>
>To: bugtraq@securityfocus.com
>Subject: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2)
>Reply-To: NetBSD Security Officer <security-officer@netbsd.org>
>User-Agent: Mutt/1.2.5.1i
>Organisation: The NetBSD Foundation, Inc.
>X-Virus-Scanned: by AMaViS perl-10
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
> NetBSD Security Advisory 2002-001
> =================================
>
>Topic: Close-on-exec, SUID and ptrace(2)
>
>Version: NetBSD-current: prior to January 14, 2002
> NetBSD-1.5.*: affected up to and including 1.5.2
> NetBSD-1.4.*: affected up to and including 1.4.3
>
>Severity: local root privilege compromise
>
>Fixed: NetBSD-current: January 14, 2002
> NetBSD-1.5 branch: January 14, 2002
> NetBSD-1.4 branch: January 14, 2002
>
>
>Abstract
>========
>
>A process could exec a setuid binary, while gaining ptrace control
>over it for a short period before the process was activated. The
>ptrace controller process could then modify the address space of the
>controlled process and abuse its elevated privileges.
>
>Technical Details
>=================
>
>The opportunity for abuse is similar to the issues in NetBSD-SA2001-009,
>though the cause is different. A race condition existed which allowed
>bypassing of the usual restrictions against using ptrace on setugid
>processes.
>
>Since there is no known public exploit of this issue, and it is known to
>affect other BSDs it would be a public disservice to provide further
>insight at this time.
>
>A patch is being included for procfs which can be exploited in a similar
>fashion.
>
>Note that the ptrace portion of this advisory affects all kernels, not
>only kernels with particular options, such as procfs.
>
>Solutions and Workarounds
>=========================
>
>The only workaround available is to disable all logins by untrusted
>users. The race should still be patched, since it would allow elevation
>to root privileges if some other vulnerability allowed a non-privileged
>account to be compromised.
>
>Since all recent NetBSD versions are affected, anyone who grants or has
>granted
>user accounts to untrusted users on their systems should apply the patch for
>this issue immediately.
>
>While initial tests against earlier versions such as NetBSD-1.3.x were
>unsuccessful, it is still expected that this issue would apply to these older
>versions as well. It is strongly recommended that systems running
>NetBSD-1.3.x and earlier be upgraded to a more recent release for many
>security and performance reasons.
>
>The following instructions describe how to upgrade your kernel by
>updating your source tree or patching it.
>
>* NetBSD-current:
>
> Systems running NetBSD-current dated from before 2002-01-14
> should be upgraded to NetBSD-current dated 2002-01-15 or later.
>
> The following files need to be updated from the
> netbsd-current CVS branch (aka HEAD):
> sys/kern/kern_exec.c
> sys/kern/sys_process.c
> sys/sys/proc.h
> sys/miscfs/procfs/procfs_ctl.c
> sys/miscfs/procfs/procfs_mem.c
> sys/miscfs/procfs/procfs_regs.c
> sys/miscfs/procfs/procfs_vnops.c
>
> To update your kernel sources from CVS:
> # cd src
> # cvs update -d -P sys/kern/kern_exec.c
> # cvs update -d -P sys/kern/sys_process.c
> # cvs update -d -P sys/sys/proc.h
> # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
> # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
> # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
> # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
>
> Then build and install a new kernel. If you are not familiar
> with this process, documentation is available at:
>
>
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>* NetBSD 1.5, 1.5.1, 1.5.2:
>
> Systems running NetBSD 1.5-branch sources dated from
> before 2002-01-14 should be upgraded from NetBSD 1.5-branch
> sources dated 2002-01-15 or later.
>
> The following files need to be updated from the
> netbsd-1-5 CVS branch:
> sys/kern/kern_exec.c
> sys/kern/sys_process.c
> sys/sys/proc.h
> sys/miscfs/procfs/procfs_ctl.c
> sys/miscfs/procfs/procfs_mem.c
> sys/miscfs/procfs/procfs_regs.c
>
> To update your existing checkout of 1.5-branch kernel sources
> from CVS:
>
> # cd src
> # cvs update -d -P sys/kern/kern_exec.c
> # cvs update -d -P sys/kern/sys_process.c
> # cvs update -d -P sys/sys/proc.h
> # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
> # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
> # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
> # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
>
> Then build and install a new kernel. If you are not familiar
> with this process, documentation is available at:
>
>
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
> Alternatively, apply the following patch (with potential offset
> differences):
>
>
>ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch
>
> To patch:
>
> # cd src
> # patch < /path/to/SA2002-001-ptrace-1.5.patch
>
> Then build and install a new kernel. If you are not familiar
> with this process, documentation is available at:
>
>
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>
>* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
>
> Apply the following patch (with potential offset differences):
>
>
>ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch
>
> To patch:
>
> # cd src
> # patch < /path/to/SA2002-001-ptrace-1.4.patch
>
> Then build and install a new kernel. If you are not familiar
> with this process, documentation is available at:
>
>
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>
>Thanks To
>=========
>
>Havard Eidnes and Christos Zoulas for work on the patches, and
>Tor Egge of FreeBSD for raising the issue.
>
>
>Revision History
>================
>
> 2002-01-16 Initial release
>
>
>More Information
>================
>
>An up-to-date PGP signed copy of this release will be maintained at
>
>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc
>
>Information about NetBSD and NetBSD security can be found at
>http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
>
>
>Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
>
>$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (NetBSD)
>Comment: For info see http://www.gnupg.org
>
>iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf
>5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq
>nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt
>AGnGymrlWyc=
>=vLoR
>-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020116211004.0269d600>