-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-001 ================================= Topic: procfs security hole Version: NetBSD 1.4.1 and prior; NetBSD-current until 20000126 Severity: If the kernel has procfs configured, any user can become root Abstract ======== The procfs filesystem makes the different resources of a process available under the directory /proc//. One of these resources is the memory image of the process. Reading to and writing from this special file is restricted. However, by tricking a setuid binary to write into this file, this restriction can be circumvented, and the memory image of another setuid binary can be manipulated in such a way that it will execute a shell. Systems which have procfs configured in the kernel, but not mounted normally, are still vulnerable because user processes may mount procfs. This includes most default NetBSD installations. Technical Details ================= Access to /proc//mem is protected by the procfs_checkioperm() function in sys/miscfs/procfs/procfs_mem.c. However, this function does allow access if the effective uid of the writing process is 0. If a setuid process can be manipulated in such a way that it writes to a filedescriptor referring to an open /proc//mem, this check will not protect the memory written. One way to do this is to open /proc//mem, dup2() that filedescriptor onto filedescriptor 2, do a seek on that filedescriptor to an appropriate offset (the right stack address), execute a setuid binary, and trick it into writing an error message that contains code to execute a shell. If the main program, meanwhile, has executed another setuid binary, this will have its stack overwritten, and execute a shell, giving the user root access. Solutions and Workarounds ========================= A patch is available for NetBSD 1.4.1, that revokes all vnodes referring to procfs files when a process is about to execute a setuid or setgid binary. It is located at: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs This patch will be included in the upcoming NetBSD 1.4.2 minor release. NetBSD-current since 20000126 is not vulnerable. Users of NetBSD-current should upgrade to a source tree later than 20000126. If this action cannot be taken, a workaround is to disable the use of the proc filesystem. It is not mounted by default in NetBSD, and nothing in the NetBSD base tree depends on it. The procfs filesystem should be disabled by removing it from the kernel config and rebuilding a new kernel. It is recommended that the patch above be applied in this case anyway. An earlier version of this advisory suggested removing any procfs lines from /etc/fstab, however this is not sufficient. User processes are able to mount filesystems (subject to some conditions) and the procfs filesystem is compiled into default NetBSD kernels. If a user mounts the procfs filesystem, the system will be vulnerable as above. In response to this issue, as of 20000216 NetBSD-current implements a sysctl 'vfs.generic.usermount' to allow administrators to select whether user mounts should be allowed; by default they are now disallowed. Thanks To ========= Jason Thorpe and Charles Hannum for commenting on the fix, Chris Jones for observing the user mount problem, and Frank van der Linden for implementing both the fix to procfs and the usermount sysctl. Revision History ================ 2000/01/29 - initial version 2000/01/31 - corrected spelling of "onto" 2000/02/13 - minor editorial changes for release. 2000/02/16 - Noted user mount problem, corrected these dates More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-001.txt,v 1.3 2000/02/19 04:02:43 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOK4Wqz5Ru2/4N2IFAQGPTgP+M9nt09uREXySNWGXqQFek8VRqetkQOqZ QPBd1k8GTvWUWZPkp3PtC1EbOzebV3u7gQ6Z+D7LCnxnH3y4EFYrULmIeNVXy55u vj5m0FIE2FN285X4jv0ZXwYdyDFqzObzlwhjXthB4+wYUvuS+g7R+7FVyVYX8Mr7 pmuZ1rSgIRY= =lCCD -----END PGP SIGNATURE-----