Operating System:

[NetBSD]

Published:

28 October 2016

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2521
                   NetBSD 7.0.2 addresses vulnerability
                              28 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mail
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6253  

Original Bulletin: 
   http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc

Comment: NetBSD 7.0.2, announced on 2016-10-21 fixes CVE-2016-6253 which was
         addressed in this advisory, originally published on 2016-07-20.
         
         Proof of Concept code was made available by the researcher who 
         discovered the vulnerability.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2016-006
		 =================================

Topic:		Race condition in mail.local(8)

Version:	NetBSD-current:			affected prior to 2016-07-19
		NetBSD 7.0 - 7.0.1:		affected
		NetBSD 6.1 - 6.1.5:		affected
		NetBSD 6.0 - 6.0.6:		affected

Severity:	Local user may be able to own any file or append arbitrary
		data

Fixed:		NetBSD-current:		2016-07-19
		NetBSD-7 branch:	2016-07-19
		NetBSD-7-0 branch:	2016-07-19
		NetBSD-6 branch:	2016-07-19
		NetBSD-6-1 branch:	2016-07-19
		NetBSD-6-0 branch:	2016-07-19

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A race condition exists in the mail.local(8) (/usr/libexec/mail.local)
program which is setuid root. That may be exploited in order to change
the ownership of or append arbitrary data to an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.

This vulnerability has been assigned CVE-2016-6253.

Technical Details
=================

The user mailbox (typically /var/mail/$USER) which is used to deliver a
message, is checked using lstat(2) to verify that the file is not a symlink.
Then if the file is not a symlink, it's opened. This is subject to a
symlink race. An attacker has a window between the lstat(2) and open(2)
calls during which she/he can create a symlink to an arbitrary file.
The mail.local program then will append arbitrary data or change the
ownership using fchown(2) to the file where the symlink points to.

Solutions and Workarounds
=========================

Potential workaround is to remove mail.local or turn off SUID bit from the
file. This program was used by sendmail(8) which is no longer shipped with
NetBSD (NetBSD uses postfix(1) as its MTA).

Binary update of affected versions (root is required to extract):
To apply a fixed version from a releng build, fetch a matching base.tgz
from nyftp.netbsd.org and extract the fixed binaries:

# cd /var/tmp
# ftp http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<build>/<arch>/binary/sets/base.tgz
# cd /
# tar xzpf /var/tmp/base.tgz ./usr/libexec/mail.local

with the following replacements:
<rel>   = the release version you are using
<build> = the source date of the build. 20160719 and later will fit
<arch>  = your system's architecture

The following instructions describe how to upgrade your mail.local(8)
binaries by updating your source tree and rebuilding and
installing a new version of mail.local(8).


* NetBSD-current:

        Systems running NetBSD-current dated from before 2016-07-19
        should be upgraded to NetBSD-current dated 2016-07-19 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):
                # cd src
                # cvs update -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 7.*:

        Systems running NetBSD 7.* sources dated from before
        2016-07-19 should be upgraded from NetBSD 7.* sources dated
        2016-07-19 or later.

        The following files/directories need to be updated from the
        netbsd-7, netbsd-7-0 branches:
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):

                # cd src
                # cvs update -r <branch_name> -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 6.*:

        Systems running NetBSD 6.* sources dated from before
        2016-07-19 should be upgraded from NetBSD 6.* sources dated
        2016-07-19 or later.

        The following files/directories need to be updated from the
        netbsd-6, netbsd-6-1 or netbsd-6-0 branches:
                src/libexec/mail.local

        To update from CVS, re-build, and re-install mail.local(8):

                # cd src
                # cvs update -r <branch_name> -d -P libexec/mail.local
                # cd libexec/mail.local
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

Thanks To
=========

Mateusz Kocielski who analyzed this problem and supplied the fixes.
Coverity for providing the Coverity Scan project.


Revision History
================

	2016-07-20	Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA201X-NNN.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2016, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2016-006.txt.asc,v 1.1 2016/07/20 19:35:52 christos Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXj9JyAAoJEAZJc6xMSnBu+kEP/R38HaVHYQkppCI5yAP1VOAJ
VdrupyCa0DRKDLBUrpO75SHykrK3z22NiBXlMlg1tyk1OOPQ3fSR7pGImoczTApX
+kAjxxmHwON68MSRS3vjjE89Ldl8mSjhs4MLYHOnYF1VlaubPB/mrDhQARUm8lZX
9XuWi0rVC16B1pNSxP3CexzLyzRRtMO5Q/oQCtadBaFnUA0qg2LU6IE/WRIREVJU
kZ4aqOUR57EzqkeLVqLDsh+ijAZMsEddnbF03RGxWM8Z2WtFSXTdNvM259SLj17R
MV+i//FkTg84eTGDB1xxz+w8BR5hkxrY8ygRUl7mGw5jDlFlWeVp3b46HYSE00gn
pTphTpz4WCVpKEbBnGKg8n2n0qw6Xs5b3BproOqLmV3YHxeBnTB2n2z9jBp0TY4J
/djl8tfNuMGfN+Q8BvPShv//81iSUZ2fForQv2dsVc2vuE0ZhPnR3Hin2EBdjuAl
9alH3fYtDp6a8rVwbgO8xfr4r4n1OSRYiFMpyd7x4u9LnShVqMZnUWUigLU6WCMn
CIkuxT5awQ543lQAR3BDqLO0hTAbaO42weOa79igz0f7qddH8WxnOublOENZ5FN5
dKNe2UC5GVr8L0P9O264EK3fqe2vmT5X9dZvA0Ma3SWodiFFoWRU1Yd7fmBWc2Ca
SK8o8L/RjCkhzsKHGPNY
=FW1+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWBLIrYx+lLeg9Ub1AQhPJw/+KLkbxu31K5hJ5M1jNub3EVmFzvg6kSCn
mtqcIqkqUECR7Ztr6PvMST6qH+5nWZR6ZjA1ZY/5JnD/h6kp0h0hGPu/eiy4RHGY
UInQdc0k66rnOwdXB95kPVsthKA0vjVJ7diuzNYOLVZQdsiMjEf7yxF3ATae+NR2
n+Ljr2LHR1L1aOaknQqurW7W5cEOynEGKMljVsC10JL7VuR9AuKwQi63DINtGFtw
nvxKUUnCmdWArHWp2+SNhaCD1nWPrQiRVB9aT2iERg5TUYHkMJ1cQabYGWuxGKAJ
RGtxgEbjFEQqGdUdtc7tr6y352TrVnNGeNnkQPiAYpsPOqs4zHIb/lb2BscM/QD3
c1lpZssah+GJAyWT+PyKVXoQP+37LN/xsL1JEOV88V1G/bZgPgInjQ8gWbYoGEQ/
fSvL2zzcu2oNLP3GtVYHhIe7JDxuD0EzwqIT695OjfhQXZtJUmk1GgZlZFrIb9Xg
TyHC84vC64fTy1+OqEq6wQxl9BUE0WfUckoFCK129bcvFow9pU3ltAwl11zvr7Hq
MGbCWuyAgJ0H/zdFKb2tMwzUfuN2xtZPV5KnMZkHi8nENXyoaYrlZ/Xbq24bmhZA
VNbDUd855zlBoZPrRfKOpK4B4dQ2qi5bC3e9nUxnYE0nBiLLfhpgBW4ZQEml38ff
D/CvvCgWSJM=
=kYxR
-----END PGP SIGNATURE-----