The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


NetBSD Security Advisory 2000-001


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 16 Feb 2000 07:59:08 +1100
From: Daniel Carosone <security-officer@NETBSD.ORG.>
To: [email protected]
Subject: NetBSD Security Advisory 2000-001

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-001

Topic: procfs security hole Version: NetBSD 1.4.1 and prior; NetBSD-current until 20000126 Severity: If the proc filesystem is mounted, any user can become root Abstract ======== The procfs filesystem makes the different resources of a process available under the directory /proc/<pid>/. One of these resources is the memory image of the process. Reading to and writing from this special file is restricted. However, by tricking a setuid binary to write into this file, this restriction can be circumvented, and the memory image of another setuid binary can be manipulated in such a way that it will execute a shell. Note that the procfs filesystem is not used in default NetBSD installations. Technical Details ================= Access to /proc/<pid>/mem is protected by the procfs_checkioperm() function in sys/miscfs/procfs/procfs_mem.c. However, this function does allow access if the effective uid of the writing process is 0. If a setuid process can be manipulated in such a way that it writes to a filedescriptor referring to an open /proc/<pid>/mem, this check will not protect the memory written. One way to do this is to open /proc/<pid>/mem, dup2() that filedescriptor onto filedescriptor 2, do a seek on that filedescriptor to an appropriate offset (the right stack address), execute a setuid binary, and trick it into writing an error message that contains code to execute a shell. If the main program, meanwhile, has executed another setuid binary, this will have its stack overwritten, and execute a shell, giving the user root access. Solutions and Workarounds
A patch is available for NetBSD 1.4.1, that revokes all vnodes referring to procfs files when a process is about to execute a setuid or setgid binary. It is located at: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs NetBSD-current since 20000126 is not vulnerable. Users of NetBSD-current should upgrade to a source tree later than 20000126 If this action cannot be taken, an immediate workaround is to disable the use of the proc filesystem. It is not mounted by default in NetBSD, and nothing in the NetBSD base tree depends on it. You can disable it by removing any procfs lines from /etc/fstab. Thanks To ========= Jason Thorpe and Charles Hannum for commenting on the fix. Revision History ================ 1999/01/29 - initial version 1999/01/31 - corrected spelling of "onto" 1999/02/13 - minor editorial changes for release. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-001.txt,v 1.2 2000/02/13 03:25:24 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOKlSgj5Ru2/4N2IFAQECjgP/RtIkVx/KPOvt71DVPic0SGmN2o+Pu8cs KVKbVs0Dyt1aKJjCqYFsvm1JSD1YYa3LqRPEzA5wIKkqRRdswr1+4+h1ucEkQjyg OIVauDaLvgTT2KeR9aNbAmLE6ZMTWwcY6CvuBt6gU1Cqf8ej/5qzSUNmKujEu1cj RVxHgh1mtM4= =4JqF -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру