From owner-freebsd-security  Wed Jan 16 18:10:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id CB35837B419
	for <security@freebsd.org>; Wed, 16 Jan 2002 18:10:36 -0800 (PST)
Received: (from root@localhost)
	by cage.simianscience.com (8.11.6/8.11.6) id g0H2AZf19823
	for security@freebsd.org; Wed, 16 Jan 2002 21:10:35 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from house.sentex.net (fcage [192.168.0.2])
	by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id g0H2AV319815
	for <security@freebsd.org>; Wed, 16 Jan 2002 21:10:32 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.0.14.0.20020116211004.0269d600@192.168.0.12>
X-Sender: mdtancsa@192.168.0.12
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 16 Jan 2002 21:11:06 -0500
To: security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Subject: Fwd: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and
  ptrace(2)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: by AMaViS perl-10
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


There is mention of other BSDs as well in the advisory below. Was/is this 
an old issue for FreeBSD or one that is currently relevant ?

         ---Mike


>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Wed, 16 Jan 2002 13:04:32 -0500
>From: NetBSD Security Officer <security-officer@netbsd.org>
>To: bugtraq@securityfocus.com
>Subject: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2)
>Reply-To: NetBSD Security Officer <security-officer@netbsd.org>
>User-Agent: Mutt/1.2.5.1i
>Organisation: The NetBSD Foundation, Inc.
>X-Virus-Scanned: by AMaViS perl-10
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>                 NetBSD Security Advisory 2002-001
>                 =================================
>
>Topic:          Close-on-exec, SUID and ptrace(2)
>
>Version:        NetBSD-current: prior to January 14, 2002
>                 NetBSD-1.5.*:   affected up to and including 1.5.2
>                 NetBSD-1.4.*:   affected up to and including 1.4.3
>
>Severity:       local root privilege compromise
>
>Fixed:          NetBSD-current:         January 14, 2002
>                 NetBSD-1.5 branch:      January 14, 2002
>                 NetBSD-1.4 branch:      January 14, 2002
>
>
>Abstract
>========
>
>A process could exec a setuid binary, while gaining ptrace control
>over it for a short period before the process was activated. The
>ptrace controller process could then modify the address space of the
>controlled process and abuse its elevated privileges.
>
>Technical Details
>=================
>
>The opportunity for abuse is similar to the issues in NetBSD-SA2001-009,
>though the cause is different. A race condition existed which allowed
>bypassing of the usual restrictions against using ptrace on setugid
>processes.
>
>Since there is no known public exploit of this issue, and it is known to
>affect other BSDs it would be a public disservice to provide further
>insight at this time.
>
>A patch is being included for procfs which can be exploited in a similar
>fashion.
>
>Note that the ptrace portion of this advisory affects all kernels, not
>only kernels with particular options, such as procfs.
>
>Solutions and Workarounds
>=========================
>
>The only workaround available is to disable all logins by untrusted
>users. The race should still be patched, since it would allow elevation
>to root privileges if some other vulnerability allowed a non-privileged
>account to be compromised.
>
>Since all recent NetBSD versions are affected, anyone who grants or has 
>granted
>user accounts to untrusted users on their systems should apply the patch for
>this issue immediately.
>
>While initial tests against earlier versions such as NetBSD-1.3.x were
>unsuccessful, it is still expected that this issue would apply to these older
>versions as well.  It is strongly recommended that systems running
>NetBSD-1.3.x and earlier be upgraded to a more recent release for many
>security and performance reasons.
>
>The following instructions describe how to upgrade your kernel by
>updating your source tree or patching it.
>
>* NetBSD-current:
>
>         Systems running NetBSD-current dated from before 2002-01-14
>         should be upgraded to NetBSD-current dated 2002-01-15 or later.
>
>         The following files need to be updated from the
>         netbsd-current CVS branch (aka HEAD):
>                 sys/kern/kern_exec.c
>                 sys/kern/sys_process.c
>                 sys/sys/proc.h
>                 sys/miscfs/procfs/procfs_ctl.c
>                 sys/miscfs/procfs/procfs_mem.c
>                 sys/miscfs/procfs/procfs_regs.c
>                 sys/miscfs/procfs/procfs_vnops.c
>
>         To update your kernel sources from CVS:
>                 # cd src
>                 # cvs update -d -P sys/kern/kern_exec.c
>                 # cvs update -d -P sys/kern/sys_process.c
>                 # cvs update -d -P sys/sys/proc.h
>                 # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
>
>         Then build and install a new kernel. If you are not familiar
>         with this process, documentation is available at:
>
> 
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>* NetBSD 1.5, 1.5.1, 1.5.2:
>
>         Systems running NetBSD 1.5-branch sources dated from
>         before 2002-01-14 should be upgraded from NetBSD 1.5-branch
>         sources dated 2002-01-15 or later.
>
>         The following files need to be updated from the
>         netbsd-1-5 CVS branch:
>                 sys/kern/kern_exec.c
>                 sys/kern/sys_process.c
>                 sys/sys/proc.h
>                 sys/miscfs/procfs/procfs_ctl.c
>                 sys/miscfs/procfs/procfs_mem.c
>                 sys/miscfs/procfs/procfs_regs.c
>
>         To update your existing checkout of 1.5-branch kernel sources 
> from CVS:
>
>                 # cd src
>                 # cvs update -d -P sys/kern/kern_exec.c
>                 # cvs update -d -P sys/kern/sys_process.c
>                 # cvs update -d -P sys/sys/proc.h
>                 # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
>                 # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
>
>         Then build and install a new kernel. If you are not familiar
>         with this process, documentation is available at:
>
> 
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>         Alternatively, apply the following patch (with potential offset
>         differences):
>
> 
>ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch
>
>         To patch:
>
>                 # cd src
>                 # patch < /path/to/SA2002-001-ptrace-1.5.patch
>
>         Then build and install a new kernel. If you are not familiar
>         with this process, documentation is available at:
>
> 
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>
>* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
>
>         Apply the following patch (with potential offset differences):
>
> 
>ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch
>
>         To patch:
>
>                 # cd src
>                 # patch < /path/to/SA2002-001-ptrace-1.4.patch
>
>         Then build and install a new kernel. If you are not familiar
>         with this process, documentation is available at:
>
> 
>http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
>
>
>Thanks To
>=========
>
>Havard Eidnes and Christos Zoulas for work on the patches, and
>Tor Egge of FreeBSD for raising the issue.
>
>
>Revision History
>================
>
>         2002-01-16      Initial release
>
>
>More Information
>================
>
>An up-to-date PGP signed copy of this release will be maintained at
> 
>ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc
>
>Information about NetBSD and NetBSD security can be found at
>http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
>
>
>Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.
>
>$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (NetBSD)
>Comment: For info see http://www.gnupg.org
>
>iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf
>5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq
>nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt
>AGnGymrlWyc=
>=vLoR
>-----END PGP SIGNATURE-----

--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message