<<< Date Index >>>     <<< Thread Index >>>

NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root



-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2004-007
                 =================================

Topic:          Systrace systrace_exit() local root

Version:        NetBSD-current: source prior to Apr 16, 2004
                netBSD 2.0 branch:      source prior to Apr 16, 2004
                netBSD 1.6.2:   not affected
                NetBSD 1.6.1:   not affected
                NetBSD 1.6:     not affected
                NetBSD-1.5.3:   not affected
                NetBSD-1.5.2:   not affected
                NetBSD-1.5.1:   not affected
                NetBSD-1.5:     not affected

Severity:       local root exploit

Fixed:          NetBSD-current:         Apr 17, 2004
                NetBSD-2.0 branch:      Apr 17, 2004 (2.0 will include
                                                        the fix)

Abstract
========

A local user that is allowed to use /dev/systrace can obtain root
access.



Technical Details
=================

systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.


Solutions and Workarounds
=========================

*** Patching from sources:

The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c 

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch     revision     date
  -------------  -----------  ----------------
  HEAD           1.38         2004/04/17
  netbsd-2-0     1.37.2.1     2004/04/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make
        # mv /netbsd /netbsd.old
        # cp netbsd /
        # reboot


* Binary Patch:

        Binary patches are being provided, in the form of replacement
        kernels built with the patches from the GENERIC kernel
        configuration. If you use a custom kernel configuration, these
        may not be suitable for you.

netbsd-current:

        Releng does not compile -current kernels during a release cycle.
        Users of -current are expected to be capable of upgrading from
        sources.


netbsd-2-0:

        Retreive a kernel from:

        
ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/

        Where DATE is any available DATE later than 2004-04-17


Thanks To
=========

Stefan Esser for detection and notification
Niels Provos for patches


Revision History
================

        2004-05-12      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQKJFLz5Ru2/4N2IFAQEaTgQAhGSQG1/cWAjKSV95hZ5dej1tkA+eYEMO
Y8EuSm80ebavAb4gJnvm5AcpnWu8THZgMdALNcJ+E7cK9wzCF8XfLHy/hHRPCcgr
Q/2vtood5T/ZdDdWJ9RXPBxR6GtAGvHXdhBqHWxTdN8OmaX36N1TptQ4mI9QoeWf
PTIeZpnsSBw=
=RBZ+
-----END PGP SIGNATURE-----