Date: Sat, 19 Feb 2000 15:27:24 +1100
From: Daniel Carosone security-officer@NETBSD.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: UPDATED: NetBSD Security Advisory 2000-001
An updated version of this security advisory has been issued;
note that the advisory is now applicable to a wider range of
systems than had previously been stated.
NetBSD Security Advisory 2000-001
Topic: procfs security hole
Version: NetBSD 1.4.1 and prior; NetBSD-current until 20000126
Severity: If the kernel has procfs configured, any user can become
root
Abstract
========
The procfs filesystem makes the different resources of a process
available under the directory /proc//. One of these resources is
the memory image of the process. Reading to and writing from this
special file is restricted. However, by tricking a setuid binary to
write into this file, this restriction can be circumvented, and the
memory image of another setuid binary can be manipulated in such a
way that it will execute a shell.
Systems which have procfs configured in the kernel, but not
mounted normally, are still vulnerable because user processes may
mount procfs. This includes most default NetBSD installations.
Technical Details
Access to /proc//mem is protected by the procfs_checkioperm()
function in sys/miscfs/procfs/procfs_mem.c. However, this function
does allow access if the effective uid of the writing process is 0.
If a setuid process can be manipulated in such a way that it writes
to a filedescriptor referring to an open /proc//mem, this check
will not protect the memory written. One way to do this is to open
/proc//mem, dup2() that filedescriptor onto filedescriptor 2, do a
seek on that filedescriptor to an appropriate offset (the right
stack address), execute a setuid binary, and trick it into writing
an error message that contains code to execute a shell. If the main
program, meanwhile, has executed another setuid binary, this will
have its stack overwritten, and execute a shell, giving the user
root access.
Solutions and Workarounds
A patch is available for NetBSD 1.4.1, that revokes all vnodes
referring to procfs files when a process is about to execute a
setuid or setgid binary. It is located at:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs
This patch will be included in the upcoming NetBSD 1.4.2 minor
release.
NetBSD-current since 20000126 is not vulnerable. Users of
NetBSD-current should upgrade to a source tree later than
20000126.
If this action cannot be taken, a workaround is to disable the
use of the proc filesystem. It is not mounted by default in NetBSD,
and nothing in the NetBSD base tree depends on it.
The procfs filesystem should be disabled by removing it from the
kernel config and rebuilding a new kernel. It is recommended that
the patch above be applied in this case anyway.
An earlier version of this advisory suggested removing any
procfs lines from /etc/fstab, however this is not sufficient. User
processes are able to mount filesystems (subject to some
conditions) and the procfs filesystem is compiled into default
NetBSD kernels. If a user mounts the procfs filesystem, the system
will be vulnerable as above.
In response to this issue, as of 20000216 NetBSD-current
implements a sysctl ‘vfs.generic.usermount’ to allow administrators
to select whether user mounts should be allowed; by default they
are now disallowed.
Thanks To
=========
Jason Thorpe and Charles Hannum for commenting on the fix, Chris
Jones for observing the user mount problem, and Frank van der
Linden for implementing both the fix to procfs and the usermount
sysctl.
Revision History
2000/01/29 – initial version
2000/01/31 – corrected spelling of “onto”
2000/02/13 – minor editorial changes for release.
2000/02/16 – Noted user mount problem, corrected these dates
More Information
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and
http://www.NetBSD.ORG/Security/.
Copyright 2000, The NetBSD Foundation, Inc. All Rights
Reserved.