SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Systrace Vendors:   systrace.org
(NetBSD Issues Fix) Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1010141
SecurityTracker URL:  http://securitytracker.com/id/1010141
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 12 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in systrace on NetBSD and FreeBSD. A local user with access to systrace can gain root access.

Stefan Esser from e-matters reported that there is a flaw in systrace that allows a local user with access to the systrace device to gain root privileges on the target system.

The flaw reportedly resides in systrace in the NetBSD implementation and also in the unofficial FreeBSD port by Vladimir Kotal.

The software reportedly fails to make a permission check after executing a system call with raised privileges. In certain cases, a local user can cause the exit procedure to restore the privileges to superuser privileges by invoking the syscall_fancy() function and inducing an error while the system call arguments are copied to kernel memory.

The original advisory is available at:

http://security.e-matters.de/advisories/042004.html

The vendor was reportedly notified on April 4, 2004.

Impact:   A local user can gain root privileges.
Solution:   NetBSD has released a fix in NetBSD-current and the NetBSD-2.0 branch as of April 17, 2004.

For netbsd-2-0, retreive a kernel from the following location [Where 'DATE' is any available DATE more recent than 2004-04-17]:

ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/

Vendor URL:  www.systrace.org/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  NetBSD-current source prior to Apr 16, 2004; netBSD 2.0 branch prior to Apr 16, 2004

Message History:   This archive entry is a follow-up to the message listed below.
May 11 2004 Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges



 Source Message Contents

Subject:  NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2004-007
		 =================================

Topic:		Systrace systrace_exit() local root

Version:	NetBSD-current:	source prior to Apr 16, 2004
		netBSD 2.0 branch:	source prior to Apr 16, 2004
		netBSD 1.6.2:	not affected
		NetBSD 1.6.1:	not affected
		NetBSD 1.6:	not affected
		NetBSD-1.5.3:	not affected
		NetBSD-1.5.2:	not affected
		NetBSD-1.5.1:	not affected
		NetBSD-1.5:	not affected

Severity:	local root exploit

Fixed:		NetBSD-current:		Apr 17, 2004
		NetBSD-2.0 branch:      Apr 17, 2004 (2.0 will include
							the fix)

Abstract
========

A local user that is allowed to use /dev/systrace can obtain root
access.



Technical Details
=================

systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.


Solutions and Workarounds
=========================

*** Patching from sources:

The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c 

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch     revision     date
  -------------  -----------  ----------------
  HEAD           1.38         2004/04/17
  netbsd-2-0     1.37.2.1     2004/04/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make
        # mv /netbsd /netbsd.old
        # cp netbsd /
        # reboot


* Binary Patch:

        Binary patches are being provided, in the form of replacement
        kernels built with the patches from the GENERIC kernel
        configuration. If you use a custom kernel configuration, these
        may not be suitable for you.

netbsd-current:

	Releng does not compile -current kernels during a release cycle.
	Users of -current are expected to be capable of upgrading from
	sources.


netbsd-2-0:

	Retreive a kernel from:

	ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/

	Where DATE is any available DATE later than 2004-04-17


Thanks To
=========

Stefan Esser for detection and notification
Niels Provos for patches


Revision History
================

	2004-05-12	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQKJFLz5Ru2/4N2IFAQEaTgQAhGSQG1/cWAjKSV95hZ5dej1tkA+eYEMO
Y8EuSm80ebavAb4gJnvm5AcpnWu8THZgMdALNcJ+E7cK9wzCF8XfLHy/hHRPCcgr
Q/2vtood5T/ZdDdWJ9RXPBxR6GtAGvHXdhBqHWxTdN8OmaX36N1TptQ4mI9QoeWf
PTIeZpnsSBw=
=RBZ+
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC