Published:
30 January 2000
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.020 -- FreeBSD-SA-00:02.procfs Old procfs hole incompletely filled 31 January 2000 =========================================================================== The FreeBSD Security Team has released the following advisory concerning an incompletely fixed vulnerability dating back to January 1997 on *BSD systems. (The initial advisory was released as FreeBSD Security Advisory FreeBSD-SA-97:04, redistributed as AUSCERT ESB-97.112) This vulnerability may allow local users to gain root privileges on affected systems. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:01 Security Advisory FreeBSD, Inc. Topic: Old procfs hole incompletely filled Category: core Module: make Announced: 2000-01-24 Affects: All versions before the correction date. Corrected: 2000-01-20 FreeBSD only: NO Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch I. Background procfs provides access to other processes memory spaces. This is intended to be used in debugging and has many safeguards built into it to prevent abuse. II. Problem Description In January 1997 a fatal flaw in *BSD procfs code (leading to a local root compromise) was discussed on various security forums. The exploit code dealt with /proc/pid/mem interface. Since then *BSD kernels contained a simple fix which was meant to close this hole. Unfortunately, throughout these three years it was still possible to abuse /proc/pid/mem in a similar, though more complicated fashion, which could lead to local root compromise. III. Impact Local users can gain root access. IV. Workaround You can unmount /proc. In both 3.x-stable and 4.0-current this will break truss and gcore. In 3.x-stable systems only it will reduce the amount of information ps reports. V. Solution Apply the following patch Index: sys/filedesc.h =================================================================== RCS file: /base/FreeBSD-CVS/src/sys/sys/filedesc.h,v retrieving revision 1.15.2.1 diff -u -r1.15.2.1 filedesc.h --- filedesc.h 1999/08/29 16:32:22 1.15.2.1 +++ filedesc.h 2000/01/20 21:39:29 @@ -139,6 +139,7 @@ int fsetown __P((pid_t, struct sigio **)); void funsetown __P((struct sigio *)); void funsetownlst __P((struct sigiolst *)); +void setugidsafety __P((struct proc *p)); #endif #endif Index: kern/kern_descrip.c =================================================================== RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v retrieving revision 1.58.2.3 diff -u -r1.58.2.3 kern_descrip.c --- kern_descrip.c 1999/11/18 08:09:08 1.58.2.3 +++ kern_descrip.c 2000/01/20 21:40:00 @@ -984,6 +984,62 @@ } /* + * For setuid/setgid programs we don't want to people to use that setuidness + * to generate error messages which write to a file which otherwise would + * otherwise be off limits to the proces. + * + * This is a gross hack to plug the hole. A better solution would involve + * a special vop or other form of generalized access control mechanism. We + * go ahead and just reject all procfs file systems accesses as dangerous. + * + * Since setugidsafety calls this only for fd 0, 1 and 2, this check is + * sufficient. We also don't for setugidness since we know we are. + */ +static int +is_unsafe(struct file *fp) +{ + if (fp->f_type == DTYPE_VNODE && + ((struct vnode *)(fp->f_data))->v_tag == VT_PROCFS) + return (1); + return (0); +} + +/* + * Make this setguid thing safe, if at all possible. + */ +void +setugidsafety(p) + struct proc *p; +{ + struct filedesc *fdp = p->p_fd; + struct file **fpp; + char *fdfp; + register int i; + + /* Certain daemons might not have file descriptors. */ + if (fdp == NULL) + return; + + fpp = fdp->fd_ofiles; + fdfp = fdp->fd_ofileflags; + for (i = 0; i <= fdp->fd_lastfile; i++, fpp++, fdfp++) { + if (i > 2) + break; + if (*fpp != NULL && is_unsafe(*fpp)) { + if (*fdfp & UF_MAPPED) + (void) munmapfd(p, i); + (void) closef(*fpp, p); + *fpp = NULL; + *fdfp = 0; + if (i < fdp->fd_freefile) + fdp->fd_freefile = i; + } + } + while (fdp->fd_lastfile > 0 && fdp->fd_ofiles[fdp->fd_lastfile] == NULL) + fdp->fd_lastfile--; +} + +/* * Close any files on exec? */ void Index: kern/kern_exec.c =================================================================== RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_exec.c,v retrieving revision 1.93.2.3 diff -u -r1.93.2.3 kern_exec.c --- kern_exec.c 1999/08/29 16:25:58 1.93.2.3 +++ kern_exec.c 2000/01/20 21:39:29 @@ -281,6 +281,7 @@ if (attr.va_mode & VSGID) p->p_ucred->cr_gid = attr.va_gid; setsugid(p); + setugidsafety(p); } else { if (p->p_ucred->cr_uid == p->p_cred->p_ruid && p->p_ucred->cr_gid == p->p_cred->p_rgid) VI. Credits We are republishing a heavily edited FEAR security advisory (number 1) entitled "*BSD procfs vulnerability". More information about FEAR can be found at http://www.fear.pl. We would like to thank nergal@idea.avet.com.pl for sending a preliminary version of the advisory to us in time to correct the problem. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBOJFWeFUuHi5z0oilAQHo2AP+N4GDREEmjxy6RUvt+G3cRe1Sx4yxr/Jd q70D5Icp3JlcJgxGfWFqGGvt8yx9xMm6d57mFDltdvPKr0TY0n0bY39BJlRAto9n gn8BJJvQ0WQ15ctOQKIsGwGJqHvA+p4qAHYFE3sUIZn6oMz5//C5OmaC7mFtrycY TI64bNR+0F8= =/F89 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOJ/aqih9+71yA2DNAQHYNwP/a+VD08L/jh06LmEbpmB3coYCMEDPSuHm BPg/sVRQmIqdxc+3R9zlgcnOEoW6//M4zJkX+QvqpVNYr8aU341cF7elNky1jCiL 63OLiqgfaxdSwlmvMDerZpkH2SvovYrEwzArASUgNNgJnR7Tt/WDnZtpq4ugGIoq erKB50T7Km4= =8R1O -----END PGP SIGNATURE-----