NetBSD Security Advisory 2000-001: procfs | Linux Today

NetBSD Security Advisory 2000-001: procfs

Written By
Web Webster
Web Webster
Feb 17, 2000

Date: Wed, 16 Feb 2000 07:59:08 +1100
From: Daniel Carosone security-officer@NETBSD.ORG

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: NetBSD Security Advisory 2000-001

NetBSD Security Advisory 2000-001


Topic: procfs security hole
Version: NetBSD 1.4.1 and prior; NetBSD-current until 20000126
Severity: If the proc filesystem is mounted, any user can become
root

Abstract


The procfs filesystem makes the different resources of a process
available under the directory /proc//. One of these resources is
the memory image of the process. Reading to and writing from this
special file is restricted. However, by tricking a setuid binary to
write into this file, this restriction can be circumvented, and the
memory image of another setuid binary can be manipulated in such a
way that it will execute a shell.

Note that the procfs filesystem is not used in default NetBSD
installations.

Technical Details


Access to /proc//mem is protected by the procfs_checkioperm()
function in sys/miscfs/procfs/procfs_mem.c. However, this function
does allow access if the effective uid of the writing process is 0.
If a setuid process can be manipulated in such a way that it writes
to a filedescriptor referring to an open /proc//mem, this check
will not protect the memory written. One way to do this is to open
/proc//mem, dup2() that filedescriptor onto filedescriptor 2, do a
seek on that filedescriptor to an appropriate offset (the right
stack address), execute a setuid binary, and trick it into writing
an error message that contains code to execute a shell. If the main
program, meanwhile, has executed another setuid binary, this will
have its stack overwritten, and execute a shell, giving the user
root access.

Solutions and Workarounds


A patch is available for NetBSD 1.4.1, that revokes all vnodes
referring to procfs files when a process is about to execute a
setuid or setgid binary. It is located at:


ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs

NetBSD-current since 20000126 is not vulnerable. Users of
NetBSD-current should upgrade to a source tree later than
20000126

If this action cannot be taken, an immediate workaround is to
disable the use of the proc filesystem. It is not mounted by
default in NetBSD, and nothing in the NetBSD base tree depends on
it. You can disable it by removing any procfs lines from
/etc/fstab.

Thanks To


Jason Thorpe and Charles Hannum for commenting on the fix.

Revision History


1999/01/29 – initial version
1999/01/31 – corrected spelling of “onto”
1999/02/13 – minor editorial changes for release.

More Information


Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and
http://www.NetBSD.ORG/Security/.

Copyright 1999, The NetBSD Foundation, Inc. All Rights
Reserved.

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.