-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-013 ================================= Topic: ptrace() permissions after S[UG]ID and exec() Version: NetBSD-current: source prior to October 31, 2005 NetBSD 2.1: affected NetBSD 2.0.3: affected NetBSD 2.0: affected NetBSD 1.6: affected Severity: privilege escalation and injection of code Fixed: NetBSD-current: October 31, 2005 NetBSD-3 branch: October 31, 2005 NetBSD-2.1 branch: October 31, 2005 (2.1.1 will include the fix) NetBSD-2.0 branch: October 31, 2005 (2.0.4 will include the fix) NetBSD-2 branch: October 31, 2005 NetBSD-1.6 branch: October 31, 2005 Abstract ======== Processes running with alternate privileges gained from setuid and setgid executables are prevented from debugger attachment by their original owner (via ptrace). However, if these processes exec'd without resetting their real credentials, the replacement process could be attached to and tampered with. Technical Details ================= A process flag P_SUGID is used to track processes that have gained privileges via the set-id execution bits. This flag is checked by ptrace when deciding whether to allow debugger attachment. When a process called exec(), this flag was being cleared, even if the real and effective credentials were still different. This would defeat the ptrace check for the replacement process image, and allow inappropriate attachment by processes owned by the real uid. This attachment could then be used to alter the behaviour of the process, and make additional syscalls under the effective uid. Solutions and Workarounds ========================= A limited workaround may be to mount filesystems with the nosuid option, or remove setuid bits or general user access from setuid programs. This is likely to affect required functionality. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/kern/kern_exec.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.netbsd.org/guide/en/chap-kernel.html Thanks To ========= Tavis Ormandy for reporting the bug and Christos Zoulas for the fix. Revision History ================ 2005-11-01 Initial release 2005-11-08 Corrected date for -current version affected. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-013.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-013.txt,v 1.4 2005/11/08 08:36:17 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ3Bjnz5Ru2/4N2IFAQKFCAP/TJTJzN84wjMjCMxHOujRUXYe4x+vxEyl mUlT34jBdbE7aQb5lbecO11fLvf9a3DqXGq8B16FMERjNtmYcSPhmJRlIlW6Z1BX JBbh7kIYvq26gCGtGqqvdVsUMt1lmXWQDITKOCIsfjAfySFr00RvANYm9zyeWn9D QA3k6bhjazM= =KOsO -----END PGP SIGNATURE-----