Subject: NetBSD Security Advisory 2000-001
To: None <>
From: Daniel Carosone <>
List: netbsd-announce
Date: 02/16/2000 07:59:08

                 NetBSD Security Advisory 2000-001

Topic:		procfs security hole
Version:	NetBSD 1.4.1 and prior; NetBSD-current until 20000126
Severity:	If the proc filesystem is mounted, any user can become root


The procfs filesystem makes the different resources of a process
available under the directory /proc/<pid>/. One of these resources
is the memory image of the process. Reading to and writing from this
special file is restricted. However, by tricking a setuid binary to
write into this file, this restriction can be circumvented, and the
memory image of another setuid binary can be manipulated in such a way
that it will execute a shell.

Note that the procfs filesystem is not used in default NetBSD

Technical Details

Access to /proc/<pid>/mem is protected by the procfs_checkioperm()
function in sys/miscfs/procfs/procfs_mem.c. However, this function
does allow access if the effective uid of the writing process is 0.
If a setuid process can be manipulated in such a way that it writes to
a filedescriptor referring to an open /proc/<pid>/mem, this check
will not protect the memory written. One way to do this is to open
/proc/<pid>/mem, dup2() that filedescriptor onto filedescriptor 2,
do a seek on that filedescriptor to an appropriate offset (the right
stack address), execute a setuid binary, and trick it into writing an
error message that contains code to execute a shell. If the main
program, meanwhile, has executed another setuid binary, this will have
its stack overwritten, and execute a shell, giving the user root

Solutions and Workarounds

A patch is available for NetBSD 1.4.1, that revokes all vnodes
referring to procfs files when a process is about to execute
a setuid or setgid binary. It is located at:


NetBSD-current since 20000126 is not vulnerable.  Users of
NetBSD-current should upgrade to a source tree later than 20000126

If this action cannot be taken, an immediate workaround is to disable
the use of the proc filesystem. It is not mounted by default in NetBSD,
and nothing in the NetBSD base tree depends on it. You can disable
it by removing any procfs lines from /etc/fstab.

Thanks To

Jason Thorpe and Charles Hannum for commenting on the fix.

Revision History

	1999/01/29 - initial version
	1999/01/31 - corrected spelling of "onto"
	1999/02/13 - minor editorial changes for release.

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 1999, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-001.txt,v 1.2 2000/02/13 03:25:24 dan Exp $

Version: 2.6.3ia
Charset: noconv