---

Home Security

NetBSD Security Advisory 1999-012: ptrace

By

Date: Wed, 16 Feb 2000 07:58:57 +1100
From: Daniel Carosone security-officer@NETBSD.ORG

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: NetBSD Security Advisory 1999-012

NetBSD Security Advisory 1999-012

Topic: ptrace(2)’d processes can gain “kernel” privileges on
vax.
Version: NetBSD/vax 1.4.1 and earlier; -current prior to
19991212
Severity: Theoretical problem only, no known exploits

Abstract

As part of an ongoing effort to construct a secure kernel and
application environment, the NetBSD project has identified and
corrected a possible security issue.

A wrapper program can be constructed by a local user that can
modify the hardware privileges of a ptrace(2)’d process.

It might be possible to write a security-related exploit via
this mechanism.

Technical Details

NetBSD uses the ptrace(2) system call to trace and debug other
processes. The debugging process can also modify the internal
registers, including the status (PSL) register, for the process
being debugged.

Besides the normal user-accessible flags, the VAX hardware also
stores information about privilege levels and used stacks in the
PSL. Those flags are only altered via the instruction REI (return
from interrupt) or LDPCTX (load process context) and cannot be
modified while running in “user” mode.

When the PSL contents are altered by the debugging process, the
debugged process is in the kernel, and will get the privileges
defined by the PSL when it REI to userspace to continue
execution.

Solutions and Workarounds

Upgrade to NetBSD-current, or apply the following patch to 1.4.1:

Index: machdep.c

RCS file: /cvsroot/syssrc/sys/arch/vax/vax/machdep.c,v
retrieving revision 1.76.2.1
diff -c -r1.76.2.1 machdep.c
*** machdep.c   1999/04/16 16:26:01     1.76.2.1
- --- machdep.c   1999/12/12 11:08:46
***************
*** 770,776 ****
        tf->fp = regs->fp;
        tf->sp = regs->sp;
        tf->pc = regs->pc;
!       tf->psl = regs->psl;
        return 0;
  }

- --- 770,777 ----
        tf->fp = regs->fp;
        tf->sp = regs->sp;
        tf->pc = regs->pc;
!       tf->psl = (regs->psl|PSL_U|PSL_PREVU) &
!           ~(PSL_MBZ|PSL_IS|PSL_IPL1F|PSL_CM); /* Allow compat mode? */
        return 0;
  }

Thanks To

Discovery of the problem by Klaus Klein (kleink@netbsd.org)

Revision History

1999/12/12 – initial version

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and
http://www.NetBSD.ORG/Security/.

Copyright 1999, The NetBSD Foundation, Inc. All Rights
Reserved.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.