The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Wed, 12 May 2004 13:50:57 -0400
From: NetBSD Security-Officer <security-officer@netbsd.org.>
To: bugtraq@securityfocus.com
Subject: NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root


-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2004-007




Topic:		Systrace systrace_exit() local root

Version:	NetBSD-current:	source prior to Apr 16, 2004
                netBSD 2.0 branch:	source prior to Apr 16, 2004
                netBSD 1.6.2:	not affected
                NetBSD 1.6.1:	not affected
                NetBSD 1.6:	not affected
                NetBSD-1.5.3:	not affected
                NetBSD-1.5.2:	not affected
                NetBSD-1.5.1:	not affected
                NetBSD-1.5:	not affected

Severity:	local root exploit

Fixed:		NetBSD-current:		Apr 17, 2004
                NetBSD-2.0 branch:      Apr 17, 2004 (2.0 will include
                                                        the fix)

Abstract
========

A local user that is allowed to use /dev/systrace can obtain root
access.



Technical Details
=================

systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.


Solutions and Workarounds




  • Patching from sources:

The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c 

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch     revision     date
  -------------  -----------  ----------------
  HEAD           1.38         2004/04/17
  netbsd-2-0     1.37.2.1     2004/04/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make
        # mv /netbsd /netbsd.old
        # cp netbsd /
        # reboot


* Binary Patch:


        Binary patches are being provided, in the form of replacement
        kernels built with the patches from the GENERIC kernel
        configuration. If you use a custom kernel configuration, these
        may not be suitable for you.


netbsd-current:

        Releng does not compile -current kernels during a release cycle.
        Users of -current are expected to be capable of upgrading from
        sources.


netbsd-2-0:

        Retreive a kernel from:

        ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/

        Where DATE is any available DATE later than 2004-04-17


Thanks To
=========

Stefan Esser for detection and notification
Niels Provos for patches


Revision History
================

        2004-05-12	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQKJFLz5Ru2/4N2IFAQEaTgQAhGSQG1/cWAjKSV95hZ5dej1tkA+eYEMO
Y8EuSm80ebavAb4gJnvm5AcpnWu8THZgMdALNcJ+E7cK9wzCF8XfLHy/hHRPCcgr
Q/2vtood5T/ZdDdWJ9RXPBxR6GtAGvHXdhBqHWxTdN8OmaX36N1TptQ4mI9QoeWf
PTIeZpnsSBw=
=RBZ+
-----END PGP SIGNATURE-----

    • << Previous INDEX Search src Set bookmark Go to bookmark Next >>

    ПОДПИШИСЬ НА ЖУРНАЛ Linux Format 2012!

    Журнал "Linux Format" (Линукс Формат)- Единственный в России и странах СНГ журнал на русском языке, посвящённый Linux и свободному ПО. Журнал для IT-директоров, IT-менеджеров, программистов, системных администраторов, учителей школ и преподавателей ВУЗов и всех пользователей ПК. В каждом выпуске: Новости индустрии OpenSource, обзоры новинок свободного ПО, обучающие и методические статьи.

    Каждый, кто оформит подписку, получает бонусы и подарки- объёмные наклейки на системный блок, диск с архивом номеров за 2005-2011 г.г. и ежемесячно электронную версию журнала в pdf-формате.

    Оформить подписку на год


      Закладки на сайте
      Проследить за страницей     		Created 1996-2012 by Maxim Chirkov  
    ДобавитьРекламаВебмастеруГИД  
    RUNNet TopList