From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 13:02:23 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DB49850C for ; Thu, 20 Jun 2013 13:02:22 +0000 (UTC) (envelope-from bryan-lists@shatow.net) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 7B3D2171A for ; Thu, 20 Jun 2013 13:02:22 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=T+Go3I 2zzuwPHRqrV9cyE+x9CGcVTDo0cXzLQvDHIwGntBkaCjy/eXCg0a9OAw4qRG/f5L VWi+MvK3yDGuG69+H2XlhvfpKrZkWVOFiv9nFee5Z9dshV1bWTJHAtUE+rO6W6iV y5KJ4cn9EyPoWKwcSiiyfHPbysNQGH9dYEMFM= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sweb; bh=a071haplGTMj 81ACcqWlx1EjMb/zO+/vWVy760vP1F8=; b=p7YxgaMmrWCxUpO9Eyje3eFuRH9/ OBR+SOtnM/yIlaYTia2byCpBoH/FjSLwNprIzpZBaAdhcLMR0cFUpaAIwEe64yUd E6uer8orhbe0gP6iTPjXbz6STDUqE6iqYI1ajf2MXlSOB9Sz/cjNvIsO7RBkvtiL yzoKWQ/WqTUkY2Q= Received: (qmail 14273 invoked from network); 20 Jun 2013 08:02:15 -0500 Received: from unknown (HELO ?172.20.24.175?) (bryan@shatow.net@12.10.75.2) by sweb.xzibition.com with ESMTPA; 20 Jun 2013 08:02:15 -0500 Message-ID: <51C2FD56.5010202@shatow.net> Date: Thu, 20 Jun 2013 08:02:14 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap References: <20130618073224.3982D3728D@nine.des.no> In-Reply-To: <20130618073224.3982D3728D@nine.des.no> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 13:02:23 -0000 On 6/18/2013 2:32 AM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-13:06.mmap Security Advisory > The FreeBSD Project > > Topic: Privilege escalation via mmap > > Category: core > Module: kernel > Announced: 2013-06-18 > Credits: Konstantin Belousov > Alan Cox > Affects: FreeBSD 9.0 and later > Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) > 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) > CVE Name: CVE-2013-2171 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The FreeBSD virtual memory system allows files to be memory-mapped. > All or parts of a file can be made available to a process via its > address space. The process can then access the file using memory > operations rather than filesystem I/O calls. > > The ptrace(2) system call provides tracing and debugging facilities by > allowing one process (the tracing process) to watch and control > another (the traced process). > > II. Problem Description > > Due to insufficient permission checks in the virtual memory system, a > tracing process (such as a debugger) may be able to modify portions of > the traced process's address space to which the traced process itself > does not have write access. > > III. Impact > > This error can be exploited to allow unauthorized modification of an > arbitrary file to which the attacker has read access, but not write > access. Depending on the file and the nature of the modifications, > this can result in privilege escalation. > > To exploit this vulnerability, an attacker must be able to run > arbitrary code with user privileges on the target system. > > IV. Workaround > > No workaround is available. There is an exploit in the wild. If you have not patched yet you can disable ptrace(2) for unprivileged users. Note this disables ptrace, gdb, truss, etc for non-root. This will do it until the next reboot: sysctl security.bsd.unprivileged_proc_debug=0 This will permanently disable it. I recommend doing this as it avoids similar issues in the future: echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf service sysctl start You should still hastily patch/reboot your system though. -- Regards, Bryan Drewery