Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Systrace Vendors:
Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1010112
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 11 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in systrace on NetBSD and FreeBSD. A local user with access to systrace can gain root access.

Stefan Esser from e-matters reported that there is a flaw in systrace that allows a local user with access to the systrace device to gain root privileges on the target system.

The flaw reportedly resides in systrace in the NetBSD implementation and also in the unofficial FreeBSD port by Vladimir Kotal.

The software reportedly fails to make a permission check after executing a system call with raised privileges. In certain cases, a local user can cause the exit procedure to restore the privileges to superuser privileges by invoking the syscall_fancy() function and inducing an error while the system call arguments are copied to kernel memory.

The original advisory is available at:

The vendor was reportedly notified on April 4, 2004.

Impact:   A local user can gain root privileges.
Solution:   A fix for NetBSD is reportedly available in the NetBSD CVS tree. No fix is available for the unofficial FreeBSD port by Vladimir Kotal.
Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (FreeBSD), UNIX (NetBSD)
Underlying OS Comments:  NetBSD with systrace support prior to April 9, 2004; FreeBSD with *unofficial* port by Vladimir Kotal

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 12 2004 (NetBSD Issues Fix) Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges
NetBSD has released a fix.

 Source Message Contents

Subject:  [Full-Disclosure] Advisory 04/2004: Net(Free)BSD Systrace local root vulnerabilitiy

                           e-matters GmbH

                      -= Security  Advisory =-

     Advisory: Net(Free)BSD Systrace local root vulnerability
 Release Date: 2004/05/11
Last Modified: 2004/05/11
       Author: Stefan Esser []
  Application: NetBSD with systrace support before 2004/04/09
               FreeBSD with *unofficial* port by Vladimir Kotal
     Severity: A local user with access to systrace can
               gain root privileges
         Risk: Critical
Vendor Status: Vendor has fixed the vulnerability, after 4 weeks
               still no advisory...


   Quote from
   "Systrace enforces system call policies for applications by 
   constraining the application's access to the system. The policy 
   is generated interactively. Operations not covered by the policy 
   raise an alarm, allowing an user to refine the currently 
   configured policy."
   A code audit of systrace on various platforms revealed a flaw in
   its NetBSD implementation (which is also present in the unofficial
   FreeBSD port by Vladimir Kotal). This flaw allows a local user with
   access to the systrace device to abuse the privilege elevation
   feature to gain root permissions.

   At the end of March Brad Spengler from grsecurity informed the 
   world about a silently patched systrace bypass vulnerability
   within the linux port of systrace. He also revealed that he found
   two more holes within systrace, which he did not disclose further.
   His mail was reason enough to have a look into systrace on nearly 
   all of its supported platforms.
   Soon it was discovered that the NetBSD implementation and the 
   FreeBSD port implement the privilege elevation feature in a
   different way. After a system call was called with raised 
   permissions it will restore the elevated permissions if the flags 
   say so. Unlike the OpenBSD or Linux implementation it does not
   check for super user privileges when restoring the user id.
   This was most probably done because the syscall handling is split
   up within NetBSD/FreeBSD into a part which is called on enter
   and a part which is called on exit.
   The superuser check is missing within the exit code because the 
   procedure which is called on enter clears the corresponding flags.
   It should be obvious that tricking the exit procedure into
   restoring the process permissions to the savedugid values results
   into superuser permissions because those are initialised to zero.
   At this point the flaw seems unexploitable because it seems 
   impossible to enter the exit procedure with the flags set correctly
   due to the fact that the systrace design forbids sending privilege
   elevation messages to the process while it is within a system call.
   It is necessary to dig a bit deeper into the NetBSD kernel to 
   finally find the answer to the question of exploitability. (Same
   for FreeBSD) For NetBSD the problem is located within syscall_fancy()
   which is responsible for handling traced syscall. This routine was
   designed in a way that an error while copying the system call
   arguments into kernelspace will result in trace_enter() and the
   actual system call itself to be skipped, while trace_exit() is
   called nevertheless.
   Combined this means exploiting this vulnerability comes down do
   attaching to a child process, sending a privilege elevation
   answer to a system call result message and magically letting the 
   kernel fail when copying the arguments to the next system call. 
   Everyone who knows his assembly language will know how to achieve 
   this with minimum effort.
   After this simple process the child has super user privileges.

Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public. 

Disclosure Timeline:

    4. April 2004 - The NetBSD security officers and Niels Provos
                    were informed about this vulnerability by
    9. April 2004 - Bug is fixed in NetBSD CVS tree.
   11. April 2004 - NetBSD informs me that they hope to release
                    within the week.
   16. April 2004 - After realising that the unofficial FreeBSD
                    port is also affected Vladimir Kotal gets
		    informed by email
   27. April 2004 - Vladimir Kotal replies that he is too busy to
                    fix at the moment
    3. May   2004 - After contacting NetBSD again their tell me
                    that they "lost track" and hope to release
		    within the week (again)
   11. May   2004 - Since the fix over a month has passed. 
                    Still no vendor advisory. Public Disclosure.


   It is strongly recommended to update your version of NetBSD as 
   soon as possible because exploiting this vulnerability is pretty
   straight forward. 
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6

Copyright 2004 Stefan Esser. All rights reserved.


 Stefan Esser                              
 e-matters Security               

 GPG-Key                gpg --keyserver --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
 Did I help you? Consider a gift:  

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC