Date: Mon, 28 Apr 1997 11:04:53 +0200 From: Eivind Eklund <eivind@dimaga.com> To: Brian Buchanan <brian@wasteland.calbbs.com> Cc: security@freebsd.org Subject: Re: Lowering securelevel from userland Message-ID: <3.0.32.19970428110452.00f97100@dimaga.com>
next in thread | raw e-mail | index | archive | help
At 11:17 AM 4/26/97 -0700, Brian Buchanan wrote:
>Description:
>
>On my 2.2.1 system, I was able to lower the securelevel by taking over
>init with gdb. I compiled a copy of init with debug symbols by using
>-ggdb in the compile flags, then ran gdb using that for the symbol table
>and attached to process 1. I was able to execute setsecuritylevel(0) from
>gdb, although this caused the process to hang. Sending a signal woke it
>up long enough to let the securelevel get changed from 2 to 0 before init
>died with a segmentation fault. Even though the system was in an unstable
>state, I was able to remove the schg flags from /kernel and /sbin/init
>before rebooting the machine from the command line.
>
>Impact:
>
>An attacker who has gained superuser privilages can replace the kernel,
>delete append-only logs, or thrash the disks, even on a system that
>normally runs in highly secure mode.
>
>Exploit:
>
>One can do the following as the superuser to gain total control of a
>machine running at securelevel 1 or 2.
>
>gdb /usr/src/sbin/init/init.debug 1 (Attach to process 1, loading
> symbols from init compiled w/ -ggdb)
>signal SIGHUP (Process will get SIGHUP when it resumes)
>call setsecuritylevel(0) (Make init lower the security level)
><security level will change to 0, init will segfault>
><suspend gdb or switch to another root shell, remove schg/sappnd
> flags from files, reboot the machine>
Here is a patch that _should_ fix it (2.1.7 sourcebase, as I'm not in the
vicinity of the -current sources right now.)
--- init.c.orig Mon Apr 28 11:52:04 1997
+++ init.c Mon Apr 28 11:57:58 1997
@@ -235,7 +235,7 @@
*/
handle(badsys, SIGSYS, 0);
handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV,
- SIGBUS, SIGXCPU, SIGXFSZ, 0);
+ SIGBUS, SIGXCPU, SIGXFSZ, SIGEMT, SIGQUIT, SIGTRAP, 0);
handle(transition_handler, SIGHUP, SIGINT, SIGTERM, SIGTSTP, 0);
handle(alrm_handler, SIGALRM, 0);
sigfillset(&mask);
I can't test this patch, as I can't reboot the local server right now, and
doing remote experiments with init isn't my idea of 'safe'.
Please tell whether it seem to fix the problem, and I'll commit it if it does.
(After having done my own tests, too - init is critical...)
Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970428110452.00f97100>