Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Systrace Vendors:
(NetBSD Issues Fix) Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1010141
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 12 2004
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in systrace on NetBSD and FreeBSD. A local user with access to systrace can gain root access.

Stefan Esser from e-matters reported that there is a flaw in systrace that allows a local user with access to the systrace device to gain root privileges on the target system.

The flaw reportedly resides in systrace in the NetBSD implementation and also in the unofficial FreeBSD port by Vladimir Kotal.

The software reportedly fails to make a permission check after executing a system call with raised privileges. In certain cases, a local user can cause the exit procedure to restore the privileges to superuser privileges by invoking the syscall_fancy() function and inducing an error while the system call arguments are copied to kernel memory.

The original advisory is available at:

The vendor was reportedly notified on April 4, 2004.

Impact:   A local user can gain root privileges.
Solution:   NetBSD has released a fix in NetBSD-current and the NetBSD-2.0 branch as of April 17, 2004.

For netbsd-2-0, retreive a kernel from the following location [Where 'DATE' is any available DATE more recent than 2004-04-17]:

Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  NetBSD-current source prior to Apr 16, 2004; netBSD 2.0 branch prior to Apr 16, 2004

Message History:   This archive entry is a follow-up to the message listed below.
May 11 2004 Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges

 Source Message Contents

Subject:  NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root


		 NetBSD Security Advisory 2004-007

Topic:		Systrace systrace_exit() local root

Version:	NetBSD-current:	source prior to Apr 16, 2004
		netBSD 2.0 branch:	source prior to Apr 16, 2004
		netBSD 1.6.2:	not affected
		NetBSD 1.6.1:	not affected
		NetBSD 1.6:	not affected
		NetBSD-1.5.3:	not affected
		NetBSD-1.5.2:	not affected
		NetBSD-1.5.1:	not affected
		NetBSD-1.5:	not affected

Severity:	local root exploit

Fixed:		NetBSD-current:		Apr 17, 2004
		NetBSD-2.0 branch:      Apr 17, 2004 (2.0 will include
							the fix)


A local user that is allowed to use /dev/systrace can obtain root

Technical Details

systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.

Solutions and Workarounds

*** Patching from sources:

The fix for this issue is contained in the one file,

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch     revision     date
  -------------  -----------  ----------------
  HEAD           1.38         2004/04/17
  netbsd-2-0     2004/04/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make
        # mv /netbsd /netbsd.old
        # cp netbsd /
        # reboot

* Binary Patch:

        Binary patches are being provided, in the form of replacement
        kernels built with the patches from the GENERIC kernel
        configuration. If you use a custom kernel configuration, these
        may not be suitable for you.


	Releng does not compile -current kernels during a release cycle.
	Users of -current are expected to be capable of upgrading from


	Retreive a kernel from:

	Where DATE is any available DATE later than 2004-04-17

Thanks To

Stefan Esser for detection and notification
Niels Provos for patches

Revision History

	2004-05-12	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $

Version: GnuPG v1.2.3 (NetBSD)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC