From owner-doc-jp@jp.freebsd.org  Sat Jan 29 09:04:58 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA53638;
	Sat, 29 Jan 2000 09:04:58 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA53633
	for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 09:04:57 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id JAA20041 for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 09:04:57 +0900 (JST)
Received: from mail.hrs.jp (sutkmax2-ppp26.ed.kagu.sut.ac.jp [133.31.177.92]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id JAA14941 for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 09:04:55 +0900 (JST)
Message-Id: <200001290004.JAA14941@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id HAA43913
	for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 07:57:05 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <200001280901.CAA60307@harmony.village.org>
References: <200001280901.CAA60307@harmony.village.org>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 29 Jan 2000 07:54:26 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 230
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6987
Subject: [doc-jp 6987] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

procfs $B$N(B SA $B$rLu$7$^$7$?!#(B

 * $BKAF,$,(B SA-00:01 $B$N$^$^$K$J$C$F$^$9$,!"86J8$N$^$^$G$9!#(B
 * exploit code, local root compromise $B$OJQ$KLu$9$H(B
   $B85$,2?$@$+$o$+$i$J$/$J$j$=$&$J$N$G$9$,!"DjLu$C$F$"$k$s$G$7$g$&$+(B?

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)

($B$3$3$+$i(B)-------------------------------------------------------------

  $B$3$N%a!<%k$O(B announce-jp $B$KN.$l$?(B

Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs
From: FreeBSD Security Officer <security-officer@freebsd.org>
Date: Fri, 28 Jan 2000 02:01:36 -0700 (MST)
Message-Id: <200001280901.CAA60307@harmony.village.org>
X-Sequence: announce-jp 377

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B. 
  $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
$B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. 
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B. 

=============================================================================
FreeBSD-SA-00:01                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       Old procfs hole incompletely filled

$BJ,N`(B:           core
$B%b%8%e!<%k(B:     make
$B9pCNF|;~(B:       2000-01-24
$B1F6AHO0O(B:       $B=$@5F|0JA0$N$9$Y$F$N%P!<%8%g%s(B
$B=$@5F|;~(B:       2000-01-20
FreeBSD $B8GM-@-(B: NO

$B=$@5%Q%C%A(B:     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch

I.   $BGX7J(B

procfs provides access to other processes memory spaces.  This is
intended to be used in debugging and has many safeguards built into it
to prevent abuse.

procfs $B$O(B, $B0[$J$k%W%m%;%9$N%a%b%j6u4V$X$N%"%/%;%9$rDs6!$9$k$b$N$G$9(B.
$B$3$l$O%G%P%C%0$KMxMQ$5$l$k$3$H$r0U?^$7$?$b$N$G(B, $BMtMQ$K:]$7$F$$$/$D$b$N(B
$BKI8n5!9=$,Hw$($i$l$F$$$^$9(B.

II.  $BLdBj$N2r@b(B

In January 1997 a fatal flaw in *BSD procfs code (leading to a local
root compromise) was discussed on various security forums. The exploit
code dealt with /proc/pid/mem interface. Since then *BSD kernels
contained a simple fix which was meant to close this hole.

1997 $BG/(B 1 $B7n(B, (local root compromise $B$N860x$H$J$k(B)*BSD procfs
$B%3!<%I$NCWL?E*$J7g4Y$K$D$$$F(B, $B$5$^$6$^$J%;%-%e%j%F%#%U%)!<%i%`$G(B
$B5DO@$5$l$^$7$?(B. exploit $B%3!<%I$O(B, /proc/pid/mem $B%$%s%?!<%U%'!<%9$r(B
$BMxMQ$7$^$9(B. $B$=$l0J9_$N(B *BSD $B%+!<%M%k$K$O(B,
$B$3$N%;%-%e%j%F%#%[!<%kBP:v$N$?$a$N=$@5$,2C$($i$l$^$7$?(B.

Unfortunately, throughout these three years it was still possible to
abuse /proc/pid/mem in a similar, though more complicated fashion,
which could lead to local root compromise.

$B$7$+$7$3$N(B 3 $BG/4V(B, $BIT9,$J$3$H$K(B, $B$=$l$H;w$?$5$i$KJ#;($J<jCJ$r(B
$BMQ$$$F(B /proc/pid/mem $B$rMtMQ$7(B,
$B%m!<%+%k$N(B root $B8"8B$r<hF@$9$k$3$H(B(local root compromise)$B$,(B,
$B0MA3$H$7$F2DG=$J>uBV$K$J$C$F$$$^$7$?(B.

III. $B1F6A(B

Local users can gain root access.
$B%m!<%+%k%f!<%6$K(B root $B8"8B$N<hF@$r2DG=$K$7$^$9(B.

IV.  $BBP1~:v(B

You can unmount /proc.  In both 3.x-stable and 4.0-current this will
break truss and gcore.  In 3.x-stable systems only it will reduce the
amount of information ps reports.

/proc $B$r%"%s%^%&%s%H$9$k$3$H$GBP:v2DG=$G$9(B. $B$3$NA`:n$K$h$j(B, 
3.X-STABLE $B$*$h$S(B 4.0-CURRENT $B$NN>J}$K$*$$$F(B
truss(1) $B$H(B gcore(1) $B$,;HMQITG=$K$J$j$^$9(B.
$B$^$?(B, 3.X-STABLE $B$N$_(B, ps(1) $B$GI=<($5$l$k>pJs$,>/$J$/$J$j$^$9(B.

V.   $B=$@5=hCV(B

$B0J2<$N%Q%C%A$rE,MQ$7$F2<$5$$(B.

     Index: sys/filedesc.h
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/sys/filedesc.h,v
     retrieving revision 1.15.2.1
     diff -u -r1.15.2.1 filedesc.h
     --- filedesc.h	1999/08/29 16:32:22	1.15.2.1
     +++ filedesc.h	2000/01/20 21:39:29
     @@ -139,6 +139,7 @@
      int	fsetown __P((pid_t, struct sigio **));
      void	funsetown __P((struct sigio *));
      void	funsetownlst __P((struct sigiolst *));
     +void	setugidsafety __P((struct proc *p));
      #endif

      #endif
     Index: kern/kern_descrip.c
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v
     retrieving revision 1.58.2.3
     diff -u -r1.58.2.3 kern_descrip.c
     --- kern_descrip.c	1999/11/18 08:09:08	1.58.2.3
     +++ kern_descrip.c	2000/01/20 21:40:00
     @@ -984,6 +984,62 @@
      }

      /*
     + * For setuid/setgid programs we don't want to people to use that setuidness
     + * to generate error messages which write to a file which otherwise would
     + * otherwise be off limits to the proces.
     + *
     + * This is a gross hack to plug the hole.  A better solution would involve
     + * a special vop or other form of generalized access control mechanism.  We
     + * go ahead and just reject all procfs file systems accesses as dangerous.
     + *
     + * Since setugidsafety calls this only for fd 0, 1 and 2, this check is
     + * sufficient.  We also don't for setugidness since we know we are.
     + */
     +static int
     +is_unsafe(struct file *fp)
     +{
     +	if (fp->f_type == DTYPE_VNODE && 
     +	    ((struct vnode *)(fp->f_data))->v_tag == VT_PROCFS)
     +		return (1);
     +	return (0);
     +}
     +
     +/*
     + * Make this setguid thing safe, if at all possible.
     + */
     +void
     +setugidsafety(p)
     +	struct proc *p;
     +{
     +	struct filedesc *fdp = p->p_fd;
     +	struct file **fpp;
     +	char *fdfp;
     +	register int i;
     +
     +	/* Certain daemons might not have file descriptors. */
     +	if (fdp == NULL)
     +		return;
     +
     +	fpp = fdp->fd_ofiles;
     +	fdfp = fdp->fd_ofileflags;
     +	for (i = 0; i <= fdp->fd_lastfile; i++, fpp++, fdfp++) {
     +		if (i > 2)
     +			break;
     +		if (*fpp != NULL && is_unsafe(*fpp)) {
     +			if (*fdfp & UF_MAPPED)
     +				(void) munmapfd(p, i);
     +			(void) closef(*fpp, p);
     +			*fpp = NULL;
     +			*fdfp = 0;
     +			if (i < fdp->fd_freefile)
     +				fdp->fd_freefile = i;
     +		}
     +	}
     +	while (fdp->fd_lastfile > 0 && fdp->fd_ofiles[fdp->fd_lastfile] == NULL)
     +		fdp->fd_lastfile--;
     +}
     +
     +/*
       * Close any files on exec?
       */
      void
     Index: kern/kern_exec.c
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_exec.c,v
     retrieving revision 1.93.2.3
     diff -u -r1.93.2.3 kern_exec.c
     --- kern_exec.c	1999/08/29 16:25:58	1.93.2.3
     +++ kern_exec.c	2000/01/20 21:39:29
     @@ -281,6 +281,7 @@
		     if (attr.va_mode & VSGID)
			     p->p_ucred->cr_gid = attr.va_gid;
		     setsugid(p);
     +		setugidsafety(p);
	     } else {
		     if (p->p_ucred->cr_uid == p->p_cred->p_ruid &&
			 p->p_ucred->cr_gid == p->p_cred->p_rgid)

VI.  $B%/%l%8%C%H(B

We are republishing a heavily edited FEAR security advisory (number 1)
entitled "*BSD procfs vulnerability".  More information about FEAR can
be found at http://www.fear.pl.  We would like to thank
nergal@idea.avet.com.pl for sending a preliminary version of the
advisory to us in time to correct the problem.

$B;d$?$A(B(Security Officer Team)$B$O(B, "*BSD procfs vulnerability" $B$H$$$&(B
FEAR $B%;%-%e%j%F%#4+9p(B(No.1)$B$rJT=8$7(B, $B:FH/9T$7$F$$$^$9(B.
FEAR $B$K4X$9$k>\:Y$O(B, http://www.fear.pl $B$r$4Mw2<$5$$(B.
$BLdBj$r=$@5$9$k$?$a(B, $B$3$N4+9p$N;CDjHG$rAw$C$F$/$l$?(B
nergal@idea.avet.com.pl $B$K46<U$7$^$9(B.

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================
