tech-security: Re: Bugtraq: procfs hole

Subject: Re: Bugtraq: procfs hole
To: None <tech-security@NetBSD.ORG>
From: Rick Byers <rickb@iaw.on.ca>
List: tech-security
Date: 08/14/1997 19:01:52
I supped today, but procfs still apears to be volnerable.  I havn't
looked much at the procfs source yet, but from the comment in the new
checkioperm(), could the problem be that the exploit doesn't "open the
memory of a setuid process" so isn't caught by rule 1?.  It opens the
memory of a normal process (the exploit), which then the process exec's to
a setuid program after the memory is allready open.

I've e-mailed Jason, but he won't be back until Wednesday.  So the obvious
intermediate fix is to take procfs out of your kernel.  Obviously,
removing mount_procfs won't help much.

Rick

 On Tue, 12 Aug 1997, Jason Thorpe wrote:

> On Tue, 12 Aug 1997 15:05:13 -0500 (EST) 
>  Rick Byers <rickb@iaw.on.ca> wrote:
> 
>  > I have verified that we are volnerable.  The FreeBSD exploit has to be
>  > significantly modified, but it does work (I tested it under -current and
>  > 1.2.1).  I'm taking PROCFS out of all my kernels..
> 
> See my mail to current-users... I've committed a fix.  Please try it out.
> 
> Jason R. Thorpe                                       thorpej@nas.nasa.gov
> NASA Ames Research Center                            Home: +1 408 866 1912
> NAS: M/S 258-6                                       Work: +1 415 604 0935
> Moffett Field, CA 94035                             Pager: +1 415 428 6939
> 

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                System Admin, Tech Support
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/



On Tue, 12 Aug 1997, Jason Thorpe wrote:

> On Tue, 12 Aug 1997 15:05:13 -0500 (EST) 
>  Rick Byers <rickb@iaw.on.ca> wrote:
> 
>  > I have verified that we are volnerable.  The FreeBSD exploit has to be
>  > significantly modified, but it does work (I tested it under -current and
>  > 1.2.1).  I'm taking PROCFS out of all my kernels..
> 
> See my mail to current-users... I've committed a fix.  Please try it out.
> 
> Jason R. Thorpe                                       thorpej@nas.nasa.gov
> NASA Ames Research Center                            Home: +1 408 866 1912
> NAS: M/S 258-6                                       Work: +1 415 604 0935
> Moffett Field, CA 94035                             Pager: +1 415 428 6939
> 

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                System Admin, Tech Support
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/