Date: Mon, 13 Nov 2000 22:56:55 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses Message-ID: <Pine.BSI.4.21.0011132242190.15575-100000@blues.jpj.net> In-Reply-To: <20001113235453.B39D637B479@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This advisory would be better with a little more information: - it doesn't mention that systems with telnetd linked against a vulnerable version of ncurses are susceptible to a remote DoS that doesn't require the attacker to remain connected (described to me by Esa Etelavuori <eetelavu@cc.hut.fi> and confirmed on my 4.1.1-R and 5.0-S systems). - it doesn't mention that the devel/ncurses port, until 2000-11-10, installed a reportedly vulnerable version of the library. - it doesn't mention the report by venglin <venglin@freebsd.lublin.pl> of problems with 3.x (http://www.securityfocus.com/advisories/2269). On Mon, 13 Nov 2000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:68 Security Advisory > FreeBSD, Inc. > > Topic: ncurses allows local privilege escalation > > Category: core > Module: ncurses > Announced: 2000-11-13 > Affects: FreeBSD 5.0-CURRENT, 4.x prior to the correction date. > FreeBSD 3.x vulnerability status currently unconfirmed. > Corrected: 2000-10-11 (FreeBSD 4.1.1-STABLE) > Credits: Jouko Pynnonen <jouko@SOLUTIONS.FI> > FreeBSD only: NO > > I. Background > > ncurses is a text-mode display library used for formatting the output > of applications on a variety of terminals. It is externally > maintained, contributed code which is included in FreeBSD by default. > > II. Problem Description > > There exists an overflowable buffer in the libncurses library in the > processing of cursor movement capabilities. An attacker can force a > privileged application to use the attacker's termcap file containing a > specially crafted terminal entry, which will trigger the vulnerability > when the vulnerable ncurses code is called. This allows them to > execute arbitrary code on the local system with the privileges of the > exploited binary. > > The systat utility included in the FreeBSD base system is known to use > vulnerable ncurses routines. It runs with increased privileges as a > member of the kmem group, which allows it to read from kernel memory > (but not write to it). A process with the ability to read from kernel > memory can monitor privileged data such as network traffic, disk > buffers and terminal activity, and may be able to leverage this to > obtain further privileges on the local system or on other systems, > including root privileges. > > There may be other vulnerable applications included in the FreeBSD 4.x > base system, but no others are confirmed to be vulnerable due to the > difficulty in identifying a complete list of vulnerable ncurses > functions. However the following is a complete list of FreeBSD system > binaries which link against ncurses and run with increased > privileges. They may or may not be vulnerable to exploitation. > > /usr/sbin/lpc > /usr/bin/top > /usr/bin/systat > > FreeBSD 3.x and earlier versions use a very old, customized version of > ncurses which is difficult to update without breaking > backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x > will not be updated to the newer version. At this stage the > vulnerability has not been confirmed in FreeBSD 3.x. > > III. Impact > > Certain setuid/setgid software (including FreeBSD base system > utilities and third party ports/packages) may be vulnerable to a local > exploit yielding privileged access. > > The /usr/bin/systat utility is known to be vulnerable to this problem > in ncurses. At this time is unknown whether /usr/bin/top and > /usr/sbin/lpc are also affected. > > The problems were corrected prior to the release of FreeBSD 4.2. > > IV. Workaround > > It is not feasible to reliably detect binaries which are vulnerable to > the ncurses vulnerability, however the provided utility will scan for > privileged binaries which use ncurses and which may potentially be > vulnerable. Some of the binaries reported may not in fact be > vulnerable, but should be recompiled anyway for maximum assurance of > security. > > Statically linked binaries which are identified as potentially > vulnerable should be recompiled from source code if possible, after > patching and recompiling libncurses, in order to correct the > vulnerability. Dynamically linked binaries will be corrected by > simply patching and recompiling libncurses as described below. > > As an interim measure, consider removing any identified setuid or > setgid binary, removing set[ug]id privileges from the file, or > limiting the file access permissions, as appropriate. > > Of course, it is possible that some of the identified files may be > required for the correct operation of your local system, in which case > there is no clear workaround except for limiting the set of users who > may run the binaries, by an appropriate use of user groups and > removing the "o+x" file permission bit. > > 1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh > > e.g. with the fetch(1) command: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh > Receiving scan_ncurses.sh (381 bytes): 100% > 381 bytes transferred in 0.1 seconds (7.03 kBps) > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh > Receiving test_ncurses.sh (604 bytes): 100% > 604 bytes transferred in 0.1 seconds (6.55 kBps) > > 2) Verify the md5 checksums and compare to the value below: > > # md5 scan_ncurses.sh > MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1 > # md5 test_ncurses.sh > MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e > > 3) Run the scan_ncurses.sh script against your system: > > # chmod a+x ./test_ncurses.sh > # sh scan_ncurses.sh ./test_ncurses.sh / > > This will scan your entire system for setuid or setgid binaries which > make use of the ncurses library. Each returned binary should be > examined (e.g. with 'ls -l' and/or other tools) to determine what > security risk it poses to your local environment, e.g. whether it can > be run by arbitrary local users who may be able to exploit it to gain > privileges. > > 4) Remove the binaries, or reduce their file permissions, as appropriate. > > V. Solution > > Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the > correction date, or patch your present system source code and > rebuild. Then run the scan_ncurses.sh script as instructed in section > IV and identify any statically-linked binaries as reported by the > script. These should either be removed, recompiled, or have privileges > restricted to secure them against this vulnerability (since > statically-linked binaries will not be affected by simply recompiling > the shared libncurses library). > > To patch your present system: download the updated ncurses code from > the below location, and execute the following commands as root: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc > > Verify the detached PGP signature using your PGP utility. > > cd /usr/src > tar xvfz /path/to/ncurses.tar.gz > cd /usr/src/lib/libncurses > make all > make install > > In contrast to the usual practise, a simple patch fixing the security > vulnerability is not provided because the vendor did not make one > available, and the updated ncurses snapshot which fixed the > vulnerability contains numerous other changes whose purpose and > relation to the fix was unclear. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOhB+8lUuHi5z0oilAQHjtwP9EIqTrWGcF4hzT7o7CrqGSTBWkQ6QhH2g > DfIef15FLYXOoFImpyi1Jlk0V5RcuTTWez+Kpj8/+Yk3+TYuoYT1k08k1YBuBlCH > HYGvhTAdTO9lflUS6uxZzmiRL3ZOjHPS5OXA6ualnaohMVvBjq/f3V7/cSYZLZ1p > KmHPlYgvFPA= > =SlgT > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0011132242190.15575-100000>