SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Kernel (please use specific OS kernel) Vendors:   OpenBSD
OpenBSD Operating System Kernel Race Condition May Let a Local User Obtain Root Privileges on the Host
SecurityTracker Alert ID:  1003330
SecurityTracker URL:  http://securitytracker.com/id/1003330
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0
Description:   OpenBSD issued a notice warning of a kernel security flaw in the OpenBSD operating system. A local user could theoretically obtain root access on the system.

It is reported that a process may be able to exec a set user id (suid) root binary and gain ptrace control over the process in a short period before the process is activated. Then the ptrace controller process could modify the address space of the controlled process and perform functions with root privileges.

The bug is reportedly due to a race condition between the ptrace(2) and execve(2) system calls. No technical details were provided.

Impact:   A local user could obtain root privileges on the host.
Solution:   The vendor has released a patch, available at:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/012_ptrace.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Releases Fix for OpenBSD 2.9) Re: OpenBSD Operating System Kernel Race Condition May Let a Local User Obtain Root Privileges on the Host
The vendor has released a patch for OpenBSD 2.9. A patch for 3.0 had been released back in January 2002.



 Source Message Contents

Subject:  OpenBSD Security Fix


This is a multi-part message in MIME format.
--------------E6F052914A60D461F25E4C81
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/012_ptrace.patch
--------------E6F052914A60D461F25E4C81
Content-Type: text/plain; charset=us-ascii;
 name="012_ptrace.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="012_ptrace.patch"

A race condition between the ptrace(2) and execve(2) system calls allowed
an attacker to modify the memory contents of suid/sgid processes which
could lead to compromise of the super-user account.

Apply by doing:
	cd /usr/src
	patch -p0 < 012_ptrace.patch
And then rebuild your kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.57
diff -u -u -r1.57 kern_exec.c
--- sys/kern/kern_exec.c	19 Sep 2001 20:50:58 -0000	1.57
+++ sys/kern/kern_exec.c	21 Jan 2002 18:03:16 -0000
@@ -251,6 +251,12 @@
 	extern struct emul emul_native;
 
 	/*
+	 * Cheap solution to complicated problems.
+	 * Mark this process as "leave me alone, I'm execing".
+	 */
+	p->p_flag |= P_INEXEC;
+
+	/*
 	 * figure out the maximum size of an exec header, if necessary.
 	 * XXX should be able to keep LKM code from modifying exec switch
 	 * when we're still using it, but...
@@ -611,6 +617,7 @@
 	if (KTRPOINT(p, KTR_EMUL))
 		ktremul(p, p->p_emul->e_name);
 #endif
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 
 bad:
@@ -629,6 +636,7 @@
 
 freehdr:
 	free(pack.ep_hdr, M_EXEC);
+	p->p_flag &= ~P_INEXEC;
 	return (error);
 
 exec_abort:
@@ -652,6 +660,7 @@
 	exit1(p, -1);
 
 	/* NOTREACHED */
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 }
 
Index: sys/kern/sys_process.c
===================================================================
RCS file: /cvs/src/sys/kern/sys_process.c,v
retrieving revision 1.13
diff -u -u -r1.13 sys_process.c
--- sys/kern/sys_process.c	27 Jun 2001 04:49:47 -0000	1.13
+++ sys/kern/sys_process.c	21 Jan 2002 18:03:16 -0000
@@ -107,6 +107,9 @@
 			return (ESRCH);
 	}
 
+	if ((t->p_flag & P_INEXEC) != 0)
+		return (EAGAIN);
+
 	/* Make sure we can operate on it. */
 	switch (SCARG(uap, req)) {
 	case  PT_TRACE_ME:
Index: sys/miscfs/procfs/procfs_mem.c
===================================================================
RCS file: /cvs/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.14
diff -u -u -r1.14 procfs_mem.c
--- sys/miscfs/procfs/procfs_mem.c	19 Sep 2001 18:06:17 -0000	1.14
+++ sys/miscfs/procfs/procfs_mem.c	21 Jan 2002 18:03:16 -0000
@@ -106,6 +106,8 @@
  *	    of the entire system, and the system was not
  *	    compiled with permanently insecure mode turned
  *	    on.
+ *
+ *      (3) It's currently execing.
  */
 int
 procfs_checkioperm(p, t)
@@ -120,6 +122,9 @@
 
 	if ((t->p_pid == 1) && (securelevel > -1))
 		return (EPERM);
+
+	if (t->p_flag & P_INEXEC)
+		return (EAGAIN);
 
 	return (0);
 }
Index: sys/sys/proc.h
===================================================================
RCS file: /cvs/src/sys/sys/proc.h,v
retrieving revision 1.48
diff -u -u -r1.48 proc.h
--- sys/sys/proc.h	22 Aug 2001 10:29:42 -0000	1.48
+++ sys/sys/proc.h	21 Jan 2002 18:03:16 -0000
@@ -246,6 +246,7 @@
 
 #define	P_NOCLDWAIT	0x080000	/* Let pid 1 wait for my children */
 #define	P_NOZOMBIE	0x100000	/* Pid 1 waits for me instead of dad */
+#define P_INEXEC	0x200000	/* Process is doing an exec right now */
 
 /* Macro to compute the exit signal to be delivered. */
 #define P_EXITSIG(p) \

--------------E6F052914A60D461F25E4C81--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC