Subject: NetBSD Security Advisory 2005-013: ptrace() permissions after S[UG]ID and exec()
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <email@example.com>
Date: 11/08/2005 10:01:17
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2005-013
Topic: ptrace() permissions after S[UG]ID and exec()
Version: NetBSD-current: source prior to October 21, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0: affected
NetBSD 1.6: affected
Severity: privilege escalation and injection of code
Fixed: NetBSD-current: October 31, 2005
NetBSD-3 branch: October 31, 2005
NetBSD-2.1 branch: October 31, 2005
(2.1.1 will include the fix)
NetBSD-2.0 branch: October 31, 2005
(2.0.4 will include the fix)
NetBSD-2 branch: October 31, 2005
NetBSD-1.6 branch: October 31, 2005
Processes running with alternate privileges gained from setuid and
setgid executables are prevented from debugger attachment by their
original owner (via ptrace). However, if these processes exec'd
without resetting their real credentials, the replacement process
could be attached to and tampered with.
A process flag P_SUGID is used to track processes that have gained
privileges via the set-id execution bits. This flag is checked by
ptrace when deciding whether to allow debugger attachment.
When a process called exec(), this flag was being cleared, even if the
real and effective credentials were still different. This would defeat
the ptrace check for the replacement process image, and allow
inappropriate attachment by processes owned by the real uid. This
attachment could then be used to alter the behaviour of the process,
and make additional syscalls under the effective uid.
Solutions and Workarounds
A limited workaround may be to mount filesystems with the nosuid
option, or remove setuid bits or general user access from setuid
programs. This is likely to affect required functionality.
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/kern/kern_exec.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
Tavis Ormandy for reporting the bug and Christos Zoulas for the fix.
2005-11-01 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-013.txt,v 1.3 2005/11/01 02:24:48 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
-----END PGP SIGNATURE-----