From security-officer@netbsd.org Wed Jan 16 18:12:56 2002 From: NetBSD Security Officer To: bugtraq@securityfocus.com Date: Wed, 16 Jan 2002 13:04:32 -0500 Subject: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2) -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-001 ================================= Topic: Close-on-exec, SUID and ptrace(2) Version: NetBSD-current: prior to January 14, 2002 NetBSD-1.5.*: affected up to and including 1.5.2 NetBSD-1.4.*: affected up to and including 1.4.3 Severity: local root privilege compromise Fixed: NetBSD-current: January 14, 2002 NetBSD-1.5 branch: January 14, 2002 NetBSD-1.4 branch: January 14, 2002 Abstract ======== A process could exec a setuid binary, while gaining ptrace control over it for a short period before the process was activated. The ptrace controller process could then modify the address space of the controlled process and abuse its elevated privileges. Technical Details ================= The opportunity for abuse is similar to the issues in NetBSD-SA2001-009, though the cause is different. A race condition existed which allowed bypassing of the usual restrictions against using ptrace on setugid processes. Since there is no known public exploit of this issue, and it is known to affect other BSDs it would be a public disservice to provide further insight at this time. A patch is being included for procfs which can be exploited in a similar fashion. Note that the ptrace portion of this advisory affects all kernels, not only kernels with particular options, such as procfs. Solutions and Workarounds ========================= The only workaround available is to disable all logins by untrusted users. The race should still be patched, since it would allow elevation to root privileges if some other vulnerability allowed a non-privileged account to be compromised. Since all recent NetBSD versions are affected, anyone who grants or has granted user accounts to untrusted users on their systems should apply the patch for this issue immediately. While initial tests against earlier versions such as NetBSD-1.3.x were unsuccessful, it is still expected that this issue would apply to these older versions as well. It is strongly recommended that systems running NetBSD-1.3.x and earlier be upgraded to a more recent release for many security and performance reasons. The following instructions describe how to upgrade your kernel by updating your source tree or patching it. * NetBSD-current: Systems running NetBSD-current dated from before 2002-01-14 should be upgraded to NetBSD-current dated 2002-01-15 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): sys/kern/kern_exec.c sys/kern/sys_process.c sys/sys/proc.h sys/miscfs/procfs/procfs_ctl.c sys/miscfs/procfs/procfs_mem.c sys/miscfs/procfs/procfs_regs.c sys/miscfs/procfs/procfs_vnops.c To update your kernel sources from CVS: # cd src # cvs update -d -P sys/kern/kern_exec.c # cvs update -d -P sys/kern/sys_process.c # cvs update -d -P sys/sys/proc.h # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c # cvs update -d -P sys/miscfs/procfs/procfs_mem.c # cvs update -d -P sys/miscfs/procfs/procfs_regs.c # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel * NetBSD 1.5, 1.5.1, 1.5.2: Systems running NetBSD 1.5-branch sources dated from before 2002-01-14 should be upgraded from NetBSD 1.5-branch sources dated 2002-01-15 or later. The following files need to be updated from the netbsd-1-5 CVS branch: sys/kern/kern_exec.c sys/kern/sys_process.c sys/sys/proc.h sys/miscfs/procfs/procfs_ctl.c sys/miscfs/procfs/procfs_mem.c sys/miscfs/procfs/procfs_regs.c To update your existing checkout of 1.5-branch kernel sources from CVS: # cd src # cvs update -d -P sys/kern/kern_exec.c # cvs update -d -P sys/kern/sys_process.c # cvs update -d -P sys/sys/proc.h # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c # cvs update -d -P sys/miscfs/procfs/procfs_mem.c # cvs update -d -P sys/miscfs/procfs/procfs_regs.c # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch To patch: # cd src # patch < /path/to/SA2002-001-ptrace-1.5.patch Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: Apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch To patch: # cd src # patch < /path/to/SA2002-001-ptrace-1.4.patch Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Thanks To ========= Havard Eidnes and Christos Zoulas for work on the patches, and Tor Egge of FreeBSD for raising the issue. Revision History ================ 2002-01-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf 5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt AGnGymrlWyc= =vLoR -----END PGP SIGNATURE-----