SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD devfs Access Control Bug May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1014536
SecurityTracker URL:  http://securitytracker.com/id/1014536
CVE Reference:   CVE-2005-2218   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jul 20 2005
Impact:   Disclosure of system information, Disclosure of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.3, 5.4
Description:   A vulnerability was reported in FreeBSD in the devfs(5) device file system. A local user may be able to gain elevated privileges in certain cases.

The system does not properly validate the node type parameter when creating a device. As a result, a local user running a jailed process can access hidden devfs device nodes mounted within the jail. The device nodes are created with their normal default access permissions, which may allow the local user to obtain potentially sensitive information or gain elevated privileges on the target system.

Impact:   A local user running a jailed process can access restricted resources on the target system, which may allow the user to obtain information or gain elevated privileges.
Solution:   The vendor has issued a fix and has provided the following solution information [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4, or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system.

Vendor URL:  www.freebsd.org/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  FreeBSD Security Advisory FreeBSD-SA-05:17.devfs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:17.devfs                                      Security Advisory
                                                          The FreeBSD Project

Topic:          devfs ruleset bypass

Category:       core
Module:         devfs
Announced:      2005-07-20
Credits:        Robert Watson
Affects:        All FreeBSD 5.x releases
Corrected:      2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE)
                2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5)
                2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19)
CVE Name:       CAN-2005-2218

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace.  This includes access to
to system devices such as storage devices, kernel and system memory
devices, BPF devices, and serial port devices.  Devfs is is generally
mounted as /dev.  Devfs rulesets allow an administrator to hide
certain device nodes; this is most commonly applied to a devfs mounted
for use inside a jail, in order to make devices inaccessible to
processes within that jail.

II.  Problem Description

Due to insufficient parameter checking of the node type during device
creation, any user can expose hidden device nodes on devfs mounted
file systems within their jail.  Device nodes will be created in the
jail with their normal default access permissions.

III. Impact

Jailed processes can get access to restricted resources on the host
system.  For jailed processes running with superuser privileges this
implies access to all devices on the system.  This level of access
can lead to information leakage and privilege escalation.

IV.  Workaround

Unmount device file systems mounted inside jails.  Note that certain
device nodes, such as /dev/null, may be required for some software to
function correctly.

This can be done by executing the following command as root:

  umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference
`devfs' and has a mount point within a jail, so that they will not be
re-mounted at next reboot.

Some device file systems might be busy, including the host's main /dev
file system, and processes accessing these must be shut down before
the device file system can be unmounted.  The hosts main device file
system, mounted as /dev, should not be unmounted since it is required
for normal system operation.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4,
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.2.2
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.14
  src/sys/conf/newvers.sh                                  1.62.2.18.2.10
  src/sys/fs/devfs/devfs_vnops.c                             1.73.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.22
  src/sys/conf/newvers.sh                                  1.62.2.15.2.24
  src/sys/fs/devfs/devfs_vnops.c                                 1.73.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2218

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFC3lYgFdaIBMps37IRAldmAJ458s06z3gkHNjn04R2Rq8XXwRKiQCffeJP
m9n3bmuoX0WJvckcdR8EhU4=
=2iFe
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC