(NetBSD Issues Fix) Systrace BSD Privilege Check Error Lets Local Users Gain Root Privileges
SecurityTracker Alert ID: 1010141|
SecurityTracker URL: http://securitytracker.com/id/1010141
(Links to External Site)
Date: May 12 2004
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in systrace on NetBSD and FreeBSD. A local user with access to systrace can gain root access.|
Stefan Esser from e-matters reported that there is a flaw in systrace that allows a local user with access to the systrace device to gain root privileges on the target system.
The flaw reportedly resides in systrace in the NetBSD implementation and also in the unofficial FreeBSD port by Vladimir Kotal.
The software reportedly fails to make a permission check after executing a system call with raised privileges. In certain cases, a local user can cause the exit procedure to restore the privileges to superuser privileges by invoking the syscall_fancy() function and inducing an error while the system call arguments are copied to kernel memory.
The original advisory is available at:
The vendor was reportedly notified on April 4, 2004.
A local user can gain root privileges.|
NetBSD has released a fix in NetBSD-current and the NetBSD-2.0 branch as of April 17, 2004.|
For netbsd-2-0, retreive a kernel from the following location [Where 'DATE' is any available DATE more recent than 2004-04-17]:
Vendor URL: www.systrace.org/ (Links to External Site)
|Underlying OS: UNIX (NetBSD)|
|Underlying OS Comments: NetBSD-current source prior to Apr 16, 2004; netBSD 2.0 branch prior to Apr 16, 2004|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: NetBSD Security Advisory 2004-007: Systrace systrace_exit() local root|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2004-007
Topic: Systrace systrace_exit() local root
Version: NetBSD-current: source prior to Apr 16, 2004
netBSD 2.0 branch: source prior to Apr 16, 2004
netBSD 1.6.2: not affected
NetBSD 1.6.1: not affected
NetBSD 1.6: not affected
NetBSD-1.5.3: not affected
NetBSD-1.5.2: not affected
NetBSD-1.5.1: not affected
NetBSD-1.5: not affected
Severity: local root exploit
Fixed: NetBSD-current: Apr 17, 2004
NetBSD-2.0 branch: Apr 17, 2004 (2.0 will include
A local user that is allowed to use /dev/systrace can obtain root
systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.
Solutions and Workarounds
*** Patching from sources:
The fix for this issue is contained in the one file,
The following table lists the fixed revisions and
dates of this file for each branch:
CVS branch revision date
------------- ----------- ----------------
HEAD 1.38 2004/04/17
netbsd-2-0 188.8.131.52 2004/04/17
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
# cd sys/arch/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make
# mv /netbsd /netbsd.old
# cp netbsd /
* Binary Patch:
Binary patches are being provided, in the form of replacement
kernels built with the patches from the GENERIC kernel
configuration. If you use a custom kernel configuration, these
may not be suitable for you.
Releng does not compile -current kernels during a release cycle.
Users of -current are expected to be capable of upgrading from
Retreive a kernel from:
Where DATE is any available DATE later than 2004-04-17
Stefan Esser for detection and notification
Niels Provos for patches
2004-05-12 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----