From owner-freebsd-security Sun Jun 30 11:17:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 023F937B400 for ; Sun, 30 Jun 2002 11:17:29 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3DB643E09 for ; Sun, 30 Jun 2002 11:17:27 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id EAA05639 for security@freebsd.org; Mon, 1 Jul 2002 04:17:25 +1000 (EST) From: Darren Reed Message-Id: <200206301817.EAA05639@caligula.anu.edu.au> Subject: security risk: ktrace(2) in FreeBSD prior to -current. To: security@freebsd.org Date: Mon, 1 Jul 2002 04:17:22 +1000 (Australia/ACT) X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The bug in ktrace(2) is present in all FreeBSD's that don't have p_candebug() in the kernel. In short, this is 4-stable, etc. What's the risk ? With OpenSSH 3.4, ssh-keysign gets installed setuid-root. Using the ktrace(2) bug, you can ktrace the ssh-keysign process after it resets its uid's and watch it read your ssh host keys, be they RSA or DSA. I'm working on a patch for FreeBSD that doesn't break either FreeBSD or ktrace(2) working the way it should. In the meantime: chmod 555 `which ssh-keysign` Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message