Operating System:

[NetBSD]

Published:

29 January 2002

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2002.056 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

             ESB-2002.056 -- NetBSD Security Advisory 2002-001
                     Close-on-exec, SUID and ptrace(2)
                              30 January 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                kernel
Vendor:                 NetBSD
Operating System:       NetBSD-current:	prior to January 14, 2002
                        NetBSD-1.5.*:	affected up to and including 1.5.2
                        NetBSD-1.4.*:	affected up to and including 1.4.3
Impact:                 Root Compromise
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-001
		 =================================

Topic:		Close-on-exec, SUID and ptrace(2)

Version:	NetBSD-current:	prior to January 14, 2002
		NetBSD-1.5.*:	affected up to and including 1.5.2
		NetBSD-1.4.*:	affected up to and including 1.4.3

Severity:	local root privilege compromise

Fixed:		NetBSD-current:		January 14, 2002
		NetBSD-1.5 branch:	January 14, 2002
		NetBSD-1.4 branch:	January 14, 2002


Abstract
========

A process could exec a setuid binary, while gaining ptrace control
over it for a short period before the process was activated. The
ptrace controller process could then modify the address space of the
controlled process and abuse its elevated privileges.

Technical Details
=================

The opportunity for abuse is similar to the issues in NetBSD-SA2001-009,
though the cause is different. A race condition existed which allowed
bypassing of the usual restrictions against using ptrace on setugid
processes.

Since there is no known public exploit of this issue, and it is known to
affect other BSDs it would be a public disservice to provide further
insight at this time.

A patch is being included for procfs which can be exploited in a similar
fashion.

Note that the ptrace portion of this advisory affects all kernels, not
only kernels with particular options, such as procfs.

Solutions and Workarounds
=========================

The only workaround available is to disable all logins by untrusted
users. The race should still be patched, since it would allow elevation
to root privileges if some other vulnerability allowed a non-privileged
account to be compromised.

Since all recent NetBSD versions are affected, anyone who grants or has granted
user accounts to untrusted users on their systems should apply the patch for
this issue immediately.

While initial tests against earlier versions such as NetBSD-1.3.x were
unsuccessful, it is still expected that this issue would apply to these older
versions as well.  It is strongly recommended that systems running
NetBSD-1.3.x and earlier be upgraded to a more recent release for many
security and performance reasons.

The following instructions describe how to upgrade your kernel by
updating your source tree or patching it.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-01-14
	should be upgraded to NetBSD-current dated 2002-01-15 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/kern/kern_exec.c
		sys/kern/sys_process.c
		sys/sys/proc.h
		sys/miscfs/procfs/procfs_ctl.c
		sys/miscfs/procfs/procfs_mem.c
		sys/miscfs/procfs/procfs_regs.c
		sys/miscfs/procfs/procfs_vnops.c

	To update your kernel sources from CVS:
		# cd src
		# cvs update -d -P sys/kern/kern_exec.c
		# cvs update -d -P sys/kern/sys_process.c
		# cvs update -d -P sys/sys/proc.h
		# cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
		# cvs update -d -P sys/miscfs/procfs/procfs_mem.c
		# cvs update -d -P sys/miscfs/procfs/procfs_regs.c
		# cvs update -d -P sys/miscfs/procfs/procfs_vnops.c

	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

* NetBSD 1.5, 1.5.1, 1.5.2:

	Systems running NetBSD 1.5-branch sources dated from
	before 2002-01-14 should be upgraded from NetBSD 1.5-branch
	sources dated 2002-01-15 or later.

	The following files need to be updated from the
	netbsd-1-5 CVS branch:
		sys/kern/kern_exec.c
		sys/kern/sys_process.c
		sys/sys/proc.h
		sys/miscfs/procfs/procfs_ctl.c
		sys/miscfs/procfs/procfs_mem.c
		sys/miscfs/procfs/procfs_regs.c

	To update your existing checkout of 1.5-branch kernel sources from CVS:

		# cd src
		# cvs update -d -P sys/kern/kern_exec.c
		# cvs update -d -P sys/kern/sys_process.c
		# cvs update -d -P sys/sys/proc.h
		# cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
		# cvs update -d -P sys/miscfs/procfs/procfs_mem.c
		# cvs update -d -P sys/miscfs/procfs/procfs_regs.c
		# cvs update -d -P sys/miscfs/procfs/procfs_vnops.c

	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

	Alternatively, apply the following patch (with potential offset
	differences):

		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch

	To patch:

		# cd src
		# patch < /path/to/SA2002-001-ptrace-1.5.patch

	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	Apply the following patch (with potential offset differences):

		ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch

	To patch:

		# cd src
		# patch < /path/to/SA2002-001-ptrace-1.4.patch

	Then build and install a new kernel. If you are not familiar
	with this process, documentation is available at:

		http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


Thanks To
=========

Havard Eidnes and Christos Zoulas for work on the patches, and
Tor Egge of FreeBSD for raising the issue.


Revision History
================

	2002-01-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $
  
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf
5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq
nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt
AGnGymrlWyc=
=vLoR
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPFgKRih9+71yA2DNAQEGZgP8CkK6dvzYWTzXe7GFiETtJ3TbePH2mQqZ
lOsb05xinxi5RzVcGT7zmD3C+9rBjMfTgLllbTwzz8qtlHFxtSFLdVYMlBzxgf4+
69r/lB1f2J+C0QsSbwD9B8AMKy3YQMHXrR0x6/Pm4rkfk/Qk6XAFkQQdFjaNrGEO
4WDb96Zq510=
=amYW
-----END PGP SIGNATURE-----