Subject: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2)
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 01/16/2002 13:04:07
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-001
=================================
Topic: Close-on-exec, SUID and ptrace(2)
Version: NetBSD-current: prior to January 14, 2002
NetBSD-1.5.*: affected up to and including 1.5.2
NetBSD-1.4.*: affected up to and including 1.4.3
Severity: local root privilege compromise
Fixed: NetBSD-current: January 14, 2002
NetBSD-1.5 branch: January 14, 2002
NetBSD-1.4 branch: January 14, 2002
Abstract
========
A process could exec a setuid binary, while gaining ptrace control
over it for a short period before the process was activated. The
ptrace controller process could then modify the address space of the
controlled process and abuse its elevated privileges.
Technical Details
=================
The opportunity for abuse is similar to the issues in NetBSD-SA2001-009,
though the cause is different. A race condition existed which allowed
bypassing of the usual restrictions against using ptrace on setugid
processes.
Since there is no known public exploit of this issue, and it is known to
affect other BSDs it would be a public disservice to provide further
insight at this time.
A patch is being included for procfs which can be exploited in a similar
fashion.
Note that the ptrace portion of this advisory affects all kernels, not
only kernels with particular options, such as procfs.
Solutions and Workarounds
=========================
The only workaround available is to disable all logins by untrusted
users. The race should still be patched, since it would allow elevation
to root privileges if some other vulnerability allowed a non-privileged
account to be compromised.
Since all recent NetBSD versions are affected, anyone who grants or has granted
user accounts to untrusted users on their systems should apply the patch for
this issue immediately.
While initial tests against earlier versions such as NetBSD-1.3.x were
unsuccessful, it is still expected that this issue would apply to these older
versions as well. It is strongly recommended that systems running
NetBSD-1.3.x and earlier be upgraded to a more recent release for many
security and performance reasons.
The following instructions describe how to upgrade your kernel by
updating your source tree or patching it.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-01-14
should be upgraded to NetBSD-current dated 2002-01-15 or later.
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/kern/kern_exec.c
sys/kern/sys_process.c
sys/sys/proc.h
sys/miscfs/procfs/procfs_ctl.c
sys/miscfs/procfs/procfs_mem.c
sys/miscfs/procfs/procfs_regs.c
sys/miscfs/procfs/procfs_vnops.c
To update your kernel sources from CVS:
# cd src
# cvs update -d -P sys/kern/kern_exec.c
# cvs update -d -P sys/kern/sys_process.c
# cvs update -d -P sys/sys/proc.h
# cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
# cvs update -d -P sys/miscfs/procfs/procfs_mem.c
# cvs update -d -P sys/miscfs/procfs/procfs_regs.c
# cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
* NetBSD 1.5, 1.5.1, 1.5.2:
Systems running NetBSD 1.5-branch sources dated from
before 2002-01-14 should be upgraded from NetBSD 1.5-branch
sources dated 2002-01-15 or later.
The following files need to be updated from the
netbsd-1-5 CVS branch:
sys/kern/kern_exec.c
sys/kern/sys_process.c
sys/sys/proc.h
sys/miscfs/procfs/procfs_ctl.c
sys/miscfs/procfs/procfs_mem.c
sys/miscfs/procfs/procfs_regs.c
To update your existing checkout of 1.5-branch kernel sources from CVS:
# cd src
# cvs update -d -P sys/kern/kern_exec.c
# cvs update -d -P sys/kern/sys_process.c
# cvs update -d -P sys/sys/proc.h
# cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
# cvs update -d -P sys/miscfs/procfs/procfs_mem.c
# cvs update -d -P sys/miscfs/procfs/procfs_regs.c
# cvs update -d -P sys/miscfs/procfs/procfs_vnops.c
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch
To patch:
# cd src
# patch < /path/to/SA2002-001-ptrace-1.5.patch
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
Apply the following patch (with potential offset differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch
To patch:
# cd src
# patch < /path/to/SA2002-001-ptrace-1.4.patch
Then build and install a new kernel. If you are not familiar
with this process, documentation is available at:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
Thanks To
=========
Havard Eidnes and Christos Zoulas for work on the patches, and
Tor Egge of FreeBSD for raising the issue.
Revision History
================
2002-01-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf
5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq
nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt
AGnGymrlWyc=
=vLoR
-----END PGP SIGNATURE-----