netbsd.2002-001.ptrace

netbsd.2002-001.ptrace: Posted Jan 19, 2002; Site netbsd.org; NetBSD Security Advisory 2002-001 - A vulnerability found in the ptrace implementation on NetBSD 1.5.* , 1.4.* and CURRENT (prior to January 14, 2002) systems can result in race conditions where it is possible to use ptrace and SUID binaries to execute code with elevated privileges.; systems | netbsd; SHA-256 | e2ceb90aa470a1126631cd2c2ce223394cc423f2b65930b3f1227dd7029eb3b2; Download | Favorite | View

netbsd.2002-001.ptrace

-----BEGIN PGP SIGNED MESSAGE-----


     NetBSD Security Advisory 2002-001
     =================================

Topic:    Close-on-exec, SUID and ptrace(2)

Version:  NetBSD-current:  prior to January 14, 2002
    NetBSD-1.5.*:  affected up to and including 1.5.2
    NetBSD-1.4.*:  affected up to and including 1.4.3

Severity:  local root privilege compromise

Fixed:    NetBSD-current:    January 14, 2002
    NetBSD-1.5 branch:  January 14, 2002
    NetBSD-1.4 branch:  January 14, 2002


Abstract
========

A process could exec a setuid binary, while gaining ptrace control
over it for a short period before the process was activated. The
ptrace controller process could then modify the address space of the
controlled process and abuse its elevated privileges.

Technical Details
=================

The opportunity for abuse is similar to the issues in NetBSD-SA2001-009,
though the cause is different. A race condition existed which allowed
bypassing of the usual restrictions against using ptrace on setugid
processes.

Since there is no known public exploit of this issue, and it is known to
affect other BSDs it would be a public disservice to provide further
insight at this time.

A patch is being included for procfs which can be exploited in a similar
fashion.

Note that the ptrace portion of this advisory affects all kernels, not
only kernels with particular options, such as procfs.

Solutions and Workarounds
=========================

The only workaround available is to disable all logins by untrusted
users. The race should still be patched, since it would allow elevation
to root privileges if some other vulnerability allowed a non-privileged
account to be compromised.

Since all recent NetBSD versions are affected, anyone who grants or has
granted
user accounts to untrusted users on their systems should apply the patch
for
this issue immediately.

While initial tests against earlier versions such as NetBSD-1.3.x were
unsuccessful, it is still expected that this issue would apply to these
older
versions as well.  It is strongly recommended that systems running
NetBSD-1.3.x and earlier be upgraded to a more recent release for many
security and performance reasons.

The following instructions describe how to upgrade your kernel by
updating your source tree or patching it.

* NetBSD-current:

  Systems running NetBSD-current dated from before 2002-01-14
  should be upgraded to NetBSD-current dated 2002-01-15 or later.

  The following files need to be updated from the
  netbsd-current CVS branch (aka HEAD):
    sys/kern/kern_exec.c
    sys/kern/sys_process.c
    sys/sys/proc.h
    sys/miscfs/procfs/procfs_ctl.c
    sys/miscfs/procfs/procfs_mem.c
    sys/miscfs/procfs/procfs_regs.c
    sys/miscfs/procfs/procfs_vnops.c

  To update your kernel sources from CVS:
    # cd src
    # cvs update -d -P sys/kern/kern_exec.c
    # cvs update -d -P sys/kern/sys_process.c
    # cvs update -d -P sys/sys/proc.h
    # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
    # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
    # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
    # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c

  Then build and install a new kernel. If you are not familiar
  with this process, documentation is available at:

    http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

* NetBSD 1.5, 1.5.1, 1.5.2:

  Systems running NetBSD 1.5-branch sources dated from
  before 2002-01-14 should be upgraded from NetBSD 1.5-branch
  sources dated 2002-01-15 or later.

  The following files need to be updated from the
  netbsd-1-5 CVS branch:
    sys/kern/kern_exec.c
    sys/kern/sys_process.c
    sys/sys/proc.h
    sys/miscfs/procfs/procfs_ctl.c
    sys/miscfs/procfs/procfs_mem.c
    sys/miscfs/procfs/procfs_regs.c

  To update your existing checkout of 1.5-branch kernel sources from CVS:

    # cd src
    # cvs update -d -P sys/kern/kern_exec.c
    # cvs update -d -P sys/kern/sys_process.c
    # cvs update -d -P sys/sys/proc.h
    # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c
    # cvs update -d -P sys/miscfs/procfs/procfs_mem.c
    # cvs update -d -P sys/miscfs/procfs/procfs_regs.c
    # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c

  Then build and install a new kernel. If you are not familiar
  with this process, documentation is available at:

    http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

  Alternatively, apply the following patch (with potential offset
  differences):

  
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch

  To patch:

    # cd src
    # patch < /path/to/SA2002-001-ptrace-1.5.patch

  Then build and install a new kernel. If you are not familiar
  with this process, documentation is available at:

    http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

  Apply the following patch (with potential offset differences):

  
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch

  To patch:

    # cd src
    # patch < /path/to/SA2002-001-ptrace-1.4.patch

  Then build and install a new kernel. If you are not familiar
  with this process, documentation is available at:

    http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel


Thanks To
=========

Havard Eidnes and Christos Zoulas for work on the patches, and
Tor Egge of FreeBSD for raising the issue.


Revision History
================

  2002-01-16  Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
 
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf
5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq
nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt
AGnGymrlWyc=
=vLoR
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

netbsd.2002-001.ptrace

netbsd.2002-001.ptrace

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

netbsd.2002-001.ptrace

Share This

netbsd.2002-001.ptrace

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems