Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.056 -- NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2) 30 January 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Vendor: NetBSD Operating System: NetBSD-current: prior to January 14, 2002 NetBSD-1.5.*: affected up to and including 1.5.2 NetBSD-1.4.*: affected up to and including 1.4.3 Impact: Root Compromise Access Required: Existing Account - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-001 ================================= Topic: Close-on-exec, SUID and ptrace(2) Version: NetBSD-current: prior to January 14, 2002 NetBSD-1.5.*: affected up to and including 1.5.2 NetBSD-1.4.*: affected up to and including 1.4.3 Severity: local root privilege compromise Fixed: NetBSD-current: January 14, 2002 NetBSD-1.5 branch: January 14, 2002 NetBSD-1.4 branch: January 14, 2002 Abstract ======== A process could exec a setuid binary, while gaining ptrace control over it for a short period before the process was activated. The ptrace controller process could then modify the address space of the controlled process and abuse its elevated privileges. Technical Details ================= The opportunity for abuse is similar to the issues in NetBSD-SA2001-009, though the cause is different. A race condition existed which allowed bypassing of the usual restrictions against using ptrace on setugid processes. Since there is no known public exploit of this issue, and it is known to affect other BSDs it would be a public disservice to provide further insight at this time. A patch is being included for procfs which can be exploited in a similar fashion. Note that the ptrace portion of this advisory affects all kernels, not only kernels with particular options, such as procfs. Solutions and Workarounds ========================= The only workaround available is to disable all logins by untrusted users. The race should still be patched, since it would allow elevation to root privileges if some other vulnerability allowed a non-privileged account to be compromised. Since all recent NetBSD versions are affected, anyone who grants or has granted user accounts to untrusted users on their systems should apply the patch for this issue immediately. While initial tests against earlier versions such as NetBSD-1.3.x were unsuccessful, it is still expected that this issue would apply to these older versions as well. It is strongly recommended that systems running NetBSD-1.3.x and earlier be upgraded to a more recent release for many security and performance reasons. The following instructions describe how to upgrade your kernel by updating your source tree or patching it. * NetBSD-current: Systems running NetBSD-current dated from before 2002-01-14 should be upgraded to NetBSD-current dated 2002-01-15 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): sys/kern/kern_exec.c sys/kern/sys_process.c sys/sys/proc.h sys/miscfs/procfs/procfs_ctl.c sys/miscfs/procfs/procfs_mem.c sys/miscfs/procfs/procfs_regs.c sys/miscfs/procfs/procfs_vnops.c To update your kernel sources from CVS: # cd src # cvs update -d -P sys/kern/kern_exec.c # cvs update -d -P sys/kern/sys_process.c # cvs update -d -P sys/sys/proc.h # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c # cvs update -d -P sys/miscfs/procfs/procfs_mem.c # cvs update -d -P sys/miscfs/procfs/procfs_regs.c # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel * NetBSD 1.5, 1.5.1, 1.5.2: Systems running NetBSD 1.5-branch sources dated from before 2002-01-14 should be upgraded from NetBSD 1.5-branch sources dated 2002-01-15 or later. The following files need to be updated from the netbsd-1-5 CVS branch: sys/kern/kern_exec.c sys/kern/sys_process.c sys/sys/proc.h sys/miscfs/procfs/procfs_ctl.c sys/miscfs/procfs/procfs_mem.c sys/miscfs/procfs/procfs_regs.c To update your existing checkout of 1.5-branch kernel sources from CVS: # cd src # cvs update -d -P sys/kern/kern_exec.c # cvs update -d -P sys/kern/sys_process.c # cvs update -d -P sys/sys/proc.h # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c # cvs update -d -P sys/miscfs/procfs/procfs_mem.c # cvs update -d -P sys/miscfs/procfs/procfs_regs.c # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch To patch: # cd src # patch < /path/to/SA2002-001-ptrace-1.5.patch Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: Apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch To patch: # cd src # patch < /path/to/SA2002-001-ptrace-1.4.patch Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Thanks To ========= Havard Eidnes and Christos Zoulas for work on the patches, and Tor Egge of FreeBSD for raising the issue. Revision History ================ 2002-01-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf 5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt AGnGymrlWyc= =vLoR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPFgKRih9+71yA2DNAQEGZgP8CkK6dvzYWTzXe7GFiETtJ3TbePH2mQqZ lOsb05xinxi5RzVcGT7zmD3C+9rBjMfTgLllbTwzz8qtlHFxtSFLdVYMlBzxgf4+ 69r/lB1f2J+C0QsSbwD9B8AMKy3YQMHXrR0x6/Pm4rkfk/Qk6XAFkQQdFjaNrGEO 4WDb96Zq510= =amYW -----END PGP SIGNATURE-----