Operating System:

Published:

15 February 2000

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
              ESB-2000.028 -- NetBSD Security Advisory 2000-001
                            procfs security hole
                              16 February 2000

===========================================================================

The NetBSD Foundation, Inc. has released the following advisory
concerning a possible security vulnerability in proc filesystem of
NetBSD versions prior to and including 1.4.1.

By tricking a setuid binary to write to the memory image of a
process (made available by the procfs filesystem) the memory image
of another setuid binary can be manipulated in such a way that it
will execute a shell.

This vulnerability may allow local users to gain root access if
the proc filesystem is mounted.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-001
                 =================================

Topic:		procfs security hole
Version:	NetBSD 1.4.1 and prior; NetBSD-current until 20000126
Severity:	If the proc filesystem is mounted, any user can become root


Abstract
========

The procfs filesystem makes the different resources of a process
available under the directory /proc/<pid>/. One of these resources
is the memory image of the process. Reading to and writing from this
special file is restricted. However, by tricking a setuid binary to
write into this file, this restriction can be circumvented, and the
memory image of another setuid binary can be manipulated in such a way
that it will execute a shell.

Note that the procfs filesystem is not used in default NetBSD
installations.

Technical Details
=================

Access to /proc/<pid>/mem is protected by the procfs_checkioperm()
function in sys/miscfs/procfs/procfs_mem.c. However, this function
does allow access if the effective uid of the writing process is 0.
If a setuid process can be manipulated in such a way that it writes to
a filedescriptor referring to an open /proc/<pid>/mem, this check
will not protect the memory written. One way to do this is to open
/proc/<pid>/mem, dup2() that filedescriptor onto filedescriptor 2,
do a seek on that filedescriptor to an appropriate offset (the right
stack address), execute a setuid binary, and trick it into writing an
error message that contains code to execute a shell. If the main
program, meanwhile, has executed another setuid binary, this will have
its stack overwritten, and execute a shell, giving the user root
access.

Solutions and Workarounds
=========================

A patch is available for NetBSD 1.4.1, that revokes all vnodes
referring to procfs files when a process is about to execute
a setuid or setgid binary. It is located at:

    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs

NetBSD-current since 20000126 is not vulnerable.  Users of
NetBSD-current should upgrade to a source tree later than 20000126

If this action cannot be taken, an immediate workaround is to disable
the use of the proc filesystem. It is not mounted by default in NetBSD,
and nothing in the NetBSD base tree depends on it. You can disable
it by removing any procfs lines from /etc/fstab.

Thanks To
=========

Jason Thorpe and Charles Hannum for commenting on the fix.

Revision History
================

	1999/01/29 - initial version
	1999/01/31 - corrected spelling of "onto"
	1999/02/13 - minor editorial changes for release.

More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-001.txt,v 1.2 2000/02/13 03:25:24 dan Exp $

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOKlSgj5Ru2/4N2IFAQECjgP/RtIkVx/KPOvt71DVPic0SGmN2o+Pu8cs
KVKbVs0Dyt1aKJjCqYFsvm1JSD1YYa3LqRPEzA5wIKkqRRdswr1+4+h1ucEkQjyg
OIVauDaLvgTT2KeR9aNbAmLE6ZMTWwcY6CvuBt6gU1Cqf8ej/5qzSUNmKujEu1cj
RVxHgh1mtM4=
=4JqF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOMy1dyh9+71yA2DNAQGXiQP+LVEwkj2x/dnSXb+LnDwvgzgbyaigotdl
limsrz55qedt4GIVPmS6oF7dCWYirq8HcprGRixMVLecOoKxYm22HM/4YSL9bPYt
DF5lvHz3h5/dE0f9AWBKJviFPDWjbEvhRpGILzNsHjBA2ht8b2iUcPe+ZiGoWa+a
93koiye1RLo=
=6SoI
-----END PGP SIGNATURE-----