Published:
06 March 2000
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.037 -- FreeBSD-SA-00:03 Asmon/Ascpu ports fail to drop privileges 07 March 2000 =========================================================================== FreeBSD have released the following security advisory concerning a vulnerability in the asmon/ascpu packages provided as part of the FreeBSD ports collection. This vulnerability may allow local users to gain root privileges. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:03 Security Advisory FreeBSD, Inc. Topic: Asmon/Ascpu ports fail to drop privileges Category: ports Module: asmon/ascpu Announced: 2000-02-19 Affects: Ports collection before the correction date. Corrected: 2000-01-29 FreeBSD only: yes I. Background Two optional third-party ports distributed with FreeBSD can be used to execute commands with elevated privileges, specifically setgid kmem privileges. This may lead to a local root compromise. II. Problem Description Asmon and ascpu allow users to execute arbitrary commands as part of a user configuration file. Both applications are Linux-centric as distributed by the vendor and require patching to run under FreeBSD (specifically, using the kvm interface and setgid kmem privileges to obtain system statistics); this patching was the source of the present security problem. This is a similar flaw to one found in the wmmon port, which was corrected on 1999/12/31. Note that neither utility is installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If you have not chosen to install the asmon or ascpu ports/packages, then your system is not vulnerable. If you have, then local users can obtain setgid kmem rights, which allows them to manipulate kernel memory, and thereby compromise root. IV. Workaround Remove the asmon and ascpu ports/packages, if you have installed them. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the asmon and/or ascpu ports. 2) Reinstall a new package obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/asmon-0.60.tgz ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ascpu-1.8.tgz after the correction date. At the time of advisory release, the asmon package was not available - you may need to use one of the other methods to update the software. 3) download a new port skeleton for the asmon and/or ascpu ports from: http://www.freebsd.org/ports/ and use it to rebuild one or both ports. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOK+LsFUuHi5z0oilAQHRZAP+MC3e3NhGNTDhiL/GAQjewUS8c16ClPhj WruCd5Tu1WJA2Em8Q19Ui7vrLRLQ9aXzTocUOBd6x6/zqpM3lS1aJMwvV9BkZ59G ONh6aiM7FbWPKukW1YThKDn0Vjtc5JaDHsbJ4dVHQh/IMqZD8hqocLG4AjJDxnLj qlRyhiCr/lA= =l1gj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOMy1mih9+71yA2DNAQFMRQP/WeUTFecIeWtqlGF/GDUbdnbiZv7OPV+v JNPrni3ff/yUMMfLF+TGaWalel+cKIgLMZqx/Na1gl0lTD+nKg4thLOjYeKBoI03 XzXsvvh/cFa2S8FF9YGK8j3cnu2o/NKmKuTxwWmTYBqf7GzRX9VoS5JcJKm3EBW9 1YfbMVZE9E0= =dbt9 -----END PGP SIGNATURE-----