FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs

Date: Fri, 28 Jan 2000 02:01:36 -0700 (MST)
From: FreeBSD Security Officer security-officer@FreeBSD.ORG

Subject: FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs

—–BEGIN PGP SIGNED MESSAGE—–

---

FreeBSD-SA-00:01 Security Advisory

FreeBSD, Inc.

Topic: Old procfs hole incompletely filled

Category: core
Module: make
Announced: 2000-01-24
Affects: All versions before the correction date.
Corrected: 2000-01-20
FreeBSD only: NO

Patches:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch

I. Background

procfs provides access to other processes memory spaces. This is
intended to be used in debugging and has many safeguards built into
it to prevent abuse.

II. Problem Description

In January 1997 a fatal flaw in *BSD procfs code (leading to a
local root compromise) was discussed on various security forums.
The exploit code dealt with /proc/pid/mem interface. Since then
*BSD kernels contained a simple fix which was meant to close this
hole.

Unfortunately, throughout these three years it was still
possible to abuse /proc/pid/mem in a similar, though more
complicated fashion, which could lead to local root compromise.

III. Impact

Local users can gain root access.

IV. Workaround

You can unmount /proc. In both 3.x-stable and 4.0-current this
will break truss and gcore. In 3.x-stable systems only it will
reduce the amount of information ps reports.

V. Solution

Apply the following patch

Index: sys/filedesc.h
===================================================================
RCS file: /base/FreeBSD-CVS/src/sys/sys/filedesc.h,v
retrieving revision 1.15.2.1
diff -u -r1.15.2.1 filedesc.h
--- filedesc.h      1999/08/29 16:32:22     1.15.2.1
+++ filedesc.h      2000/01/20 21:39:29
@@ -139,6 +139,7 @@
int        fsetown __P((pid_t, struct sigio **));
void       funsetown __P((struct sigio *));
void       funsetownlst __P((struct sigiolst *));
+void       setugidsafety __P((struct proc *p));
#endif

#endif
Index: kern/kern_descrip.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v
retrieving revision 1.58.2.3
diff -u -r1.58.2.3 kern_descrip.c
--- kern_descrip.c  1999/11/18 08:09:08     1.58.2.3
+++ kern_descrip.c  2000/01/20 21:40:00
@@ -984,6 +984,62 @@
}

/*
+ * For setuid/setgid programs we don't want to people to use that setuidness
+ * to generate error messages which write to a file which otherwise would
+ * otherwise be off limits to the proces.
+ *
+ * This is a gross hack to plug the hole.  A better solution would involve
+ * a special vop or other form of generalized access control mechanism.  We
+ * go ahead and just reject all procfs file systems accesses as dangerous.
+ *
+ * Since setugidsafety calls this only for fd 0, 1 and 2, this check is
+ * sufficient.  We also don't for setugidness since we know we are.
+ */
+static int
+is_unsafe(struct file *fp)
+{
+   if (fp->f_type == DTYPE_VNODE &&
+       ((struct vnode *)(fp->f_data))->v_tag == VT_PROCFS)
+           return (1);
+   return (0);
+}
+
+/*
+ * Make this setguid thing safe, if at all possible.
+ */
+void
+setugidsafety(p)
+   struct proc *p;
+{
+   struct filedesc *fdp = p->p_fd;
+   struct file **fpp;
+   char *fdfp;
+   register int i;
+
+   /* Certain daemons might not have file descriptors. */
+   if (fdp == NULL)
+           return;
+
+   fpp = fdp->fd_ofiles;
+   fdfp = fdp->fd_ofileflags;
+   for (i = 0; i <= fdp->fd_lastfile; i++, fpp++, fdfp++) {
+           if (i > 2)
+                   break;
+           if (*fpp != NULL && is_unsafe(*fpp)) {
+                   if (*fdfp & UF_MAPPED)
+                           (void) munmapfd(p, i);
+                   (void) closef(*fpp, p);
+                   *fpp = NULL;
+                   *fdfp = 0;
+                   if (i < fdp->fd_freefile)
+                           fdp->fd_freefile = i;
+           }
+   }
+   while (fdp->fd_lastfile > 0 && fdp->fd_ofiles[fdp->fd_lastfile] == NULL)
+           fdp->fd_lastfile--;
+}
+
+/*
* Close any files on exec?
*/
void
Index: kern/kern_exec.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_exec.c,v
retrieving revision 1.93.2.3
diff -u -r1.93.2.3 kern_exec.c
--- kern_exec.c     1999/08/29 16:25:58     1.93.2.3
+++ kern_exec.c     2000/01/20 21:39:29
@@ -281,6 +281,7 @@
              if (attr.va_mode & VSGID)
                      p->p_ucred->cr_gid = attr.va_gid;
              setsugid(p);
+           setugidsafety(p);
      } else {
              if (p->p_ucred->cr_uid == p->p_cred->p_ruid &&
                  p->p_ucred->cr_gid == p->p_cred->p_rgid)

VI. Credits

We are republishing a heavily edited FEAR security advisory
(number 1) entitled “*BSD procfs vulnerability”. More information
about FEAR can be found at http://www.fear.pl. We would like to
thank nergal@idea.avet.com.pl for sending a preliminary version of
the advisory to us in time to correct the problem.

---

FreeBSD, Inc.

Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org

Security notifications: security-notifications@freebsd.org

Security public discussion: freebsd-security@freebsd.org

PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

Notice: Any patches in this document may not apply cleanly due
to modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document for
original copies of all patches if necessary.

---

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBOJFWeFUuHi5z0oilAQHo2AP+N4GDREEmjxy6RUvt+G3cRe1Sx4yxr/Jd
q70D5Icp3JlcJgxGfWFqGGvt8yx9xMm6d57mFDltdvPKr0TY0n0bY39BJlRAto9n
gn8BJJvQ0WQ15ctOQKIsGwGJqHvA+p4qAHYFE3sUIZn6oMz5//C5OmaC7mFtrycY
TI64bNR+0F8=
=/F89
-----END PGP SIGNATURE-----

This is the moderated mailing list freebsd-announce. The list
contains announcements of new FreeBSD capabilities, important
events and project milestones. See also the FreeBSD Web pages at
http://www.freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org with
“unsubscribe freebsd-announce” in the body of the message