Subject: NetBSD Security Advisory 2005-013: ptrace() permissions after S[UG]ID and exec()
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 11/08/2005 10:01:17
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-013
		 =================================

Topic:		ptrace() permissions after S[UG]ID and exec() 

Version:	NetBSD-current:	source prior to October 21, 2005
		NetBSD 2.1:	affected
		NetBSD 2.0.3:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6:	affected

Severity:	privilege escalation and injection of code

Fixed:		NetBSD-current:		October 31, 2005
		NetBSD-3   branch:	October 31, 2005
		NetBSD-2.1 branch:	October 31, 2005
					   (2.1.1 will include the fix)
		NetBSD-2.0 branch:	October 31, 2005
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	October 31, 2005
		NetBSD-1.6 branch:	October 31, 2005

Abstract
========

Processes running with alternate privileges gained from setuid and
setgid executables are prevented from debugger attachment by their
original owner (via ptrace).  However, if these processes exec'd
without resetting their real credentials, the replacement process
could be attached to and tampered with.


Technical Details
=================

A process flag P_SUGID is used to track processes that have gained
privileges via the set-id execution bits. This flag is checked by
ptrace when deciding whether to allow debugger attachment.

When a process called exec(), this flag was being cleared, even if the
real and effective credentials were still different. This would defeat
the ptrace check for the replacement process image, and allow
inappropriate attachment by processes owned by the real uid.  This
attachment could then be used to alter the behaviour of the process,
and make additional syscalls under the effective uid.

Solutions and Workarounds
=========================

A limited workaround may be to mount filesystems with the nosuid
option, or remove setuid bits or general user access from setuid
programs.  This is likely to affect required functionality.

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and 
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/kern/kern_exec.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.netbsd.org/guide/en/chap-kernel.html


Thanks To
=========

Tavis Ormandy for reporting the bug and Christos Zoulas for the fix.


Revision History
================

	2005-11-01	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-013.txt,v 1.3 2005/11/01 02:24:48 dan Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKEj5Ru2/4N2IFAQLlPQP+NlyGnExgcX22TlpsMYp3KebFwxch2Exr
5WhveY3jfOg6/u+Tl6zH5d1K09QCONVEILmcVHS2PLzyCG+4svQUaa3wCxTU+QH2
UOjFmOwHl46uTkuVqqi94bjQclvoejbCW6UU1cthA5sNQbXB4crBMzKtJ5gto2xZ
A7Cd62yRC/E=
=2k1u
-----END PGP SIGNATURE-----