Date: Wed, 12 May 2004 13:50:57 -0400
From: NetBSD Security-Officer <security-officer@netbsd.org.>
To: bugtraq@securityfocus.com
Subject: NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2004-007
Topic: Systrace systrace_exit() local root
Version: NetBSD-current: source prior to Apr 16, 2004
netBSD 2.0 branch: source prior to Apr 16, 2004
netBSD 1.6.2: not affected
NetBSD 1.6.1: not affected
NetBSD 1.6: not affected
NetBSD-1.5.3: not affected
NetBSD-1.5.2: not affected
NetBSD-1.5.1: not affected
NetBSD-1.5: not affected
Severity: local root exploit
Fixed: NetBSD-current: Apr 17, 2004
NetBSD-2.0 branch: Apr 17, 2004 (2.0 will include
the fix)
Abstract
========
A local user that is allowed to use /dev/systrace can obtain root
access.
Technical Details
=================
systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.
Solutions and Workarounds
Patching from sources:
The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c
The following table lists the fixed revisions and
dates of this file for each branch:
CVS branch revision date
------------- ----------- ----------------
HEAD 1.38 2004/04/17
netbsd-2-0 1.37.2.1 2004/04/17
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
# cd sys/arch/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make
# mv /netbsd /netbsd.old
# cp netbsd /
# reboot
* Binary Patch:
Binary patches are being provided, in the form of replacement
kernels built with the patches from the GENERIC kernel
configuration. If you use a custom kernel configuration, these
may not be suitable for you.
netbsd-current:
Releng does not compile -current kernels during a release cycle.
Users of -current are expected to be capable of upgrading from
sources.
netbsd-2-0:
Retreive a kernel from:
ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/
Where DATE is any available DATE later than 2004-04-17
Thanks To
=========
Stefan Esser for detection and notification
Niels Provos for patches
Revision History
================
2004-05-12 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iQCVAwUBQKJFLz5Ru2/4N2IFAQEaTgQAhGSQG1/cWAjKSV95hZ5dej1tkA+eYEMO
Y8EuSm80ebavAb4gJnvm5AcpnWu8THZgMdALNcJ+E7cK9wzCF8XfLHy/hHRPCcgr
Q/2vtood5T/ZdDdWJ9RXPBxR6GtAGvHXdhBqHWxTdN8OmaX36N1TptQ4mI9QoeWf
PTIeZpnsSBw=
=RBZ+
-----END PGP SIGNATURE-----
