tech-security: Re: 1997 procfs vulnerability is back for more

Subject: Re: 1997 procfs vulnerability is back for more
To: Miles Nordin <carton@Ivy.NET>
From: Dave Sainty <dave@dtsp.co.nz>
List: tech-security
Date: 02/02/2000 22:56:31
  by redmail.netbsd.org with SMTP; 2 Feb 2000 10:00:13 -0000
  by caesar.sai.dtsp.co.nz with SMTP; 2 Feb 2000 10:00:04 -0000
  by tequila.dave.dtsp.co.nz with SMTP; 2 Feb 2000 09:56:32 -0000
To: Miles Nordin <carton@Ivy.NET>
cc: dave@dtsp.co.nz, tech-security@netbsd.org
Subject: Re: 1997 procfs vulnerability is back for more 
In-Reply-To: Your message of "Sun, 30 Jan 2000 20:32:55 PDT."
             <Pine.NEB.4.05.10001302011070.805-100000@audrey.Ivy.NET> 
 s!52iF{}"OR9bmoP<zcZE)p<ywANjTYo2)m[aVsS\z:sHfNy/FVh=0CZp15]]UJwc=+=(Ht!gecYQ.
 cylM}.EUWSWIE8LL<Xk~:GyFzN^Q^$)o#Y:W3vD)z?sybSE.`UNk%!r{PonNeAe{NxEj+qEN8spzrD
 @OT/YETE{!~`n}oHb"%{mE4NHReDp0*#Hu8VKG9H49*tjHg6eU73c
Date: Wed, 02 Feb 2000 22:56:31 +1300
From: Dave Sainty <dave@dtsp.co.nz>

Miles Nordin writes:

> Can anyone buy me a clue on this?
> 
>  http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-15&msg=20000121215448.975E322FD4@lists.securityfocus.com
> 
> Honestly, I don't understand what they're talking about.  fclose(stderr);
> execl("setuid-binary",...); -- apparently, am I supposed to remember This
> One? I don't.
> 
> The article rambles on as if we don't exist--which is odd, especially
> these days. Anyway, (1) is this a problem for NetBSD, and (2) considering
> we weren't mentioned on BugTRAQ, does it warrant an announcement from us
> one way or the other?

I was wondering about this myself.  Looking at the procfs code, a
similar scenario appears possible.  There was also a recent change
that looked like it should resolve this class of problem once and for
all...

-----------------------------

Module Name:	syssrc
Committed By:	fvdl
Date:		Tue Jan 25 21:52:05 UTC 2000

Modified Files:
	syssrc/sys/miscfs/procfs: procfs.h procfs_subr.c procfs_vfsops.c

Log Message:
At mount/unmount time, add an exec hook to revoke all vnodes iff the
process is about to exec a sugid binary.

To speed up things, use hashing for vnode allocation, like other filesystems
do. This avoids walking the whole procfs node list in the revoke case too.


To generate a diff of this commit:
cvs rdiff -r1.27 -r1.28 syssrc/sys/miscfs/procfs/procfs.h
cvs rdiff -r1.28 -r1.29 syssrc/sys/miscfs/procfs/procfs_subr.c
cvs rdiff -r1.31 -r1.32 syssrc/sys/miscfs/procfs/procfs_vfsops.c

-----------------------------

However I never saw a catagorical statement which versions of NetBSD
were vulnerable to this particular problem, if any...

It seems the problem should be resolved after this change to
NetBSD-current, perhaps someone could say whether the problem was
present in previous versions...

Cheers,

Dave