From owner-doc-jp@jp.freebsd.org  Sat Jan 29 10:43:34 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id KAA56506;
	Sat, 29 Jan 2000 10:43:34 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp04.246.ne.jp (smtp04.246.ne.jp [210.253.192.38])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id KAA56500
	for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 10:43:33 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 3253 invoked by alias); 29 Jan 2000 10:43:32 +0900
Message-ID: <20000129014332.3252.qmail@smtp.246.ne.jp>
Received: (qmail 3243 invoked from network); 29 Jan 2000 10:43:31 +0900
Received: from tp4hr014.246.ne.jp (HELO localhost) (210.253.193.14)
  by smtp.246.ne.jp with SMTP; 29 Jan 2000 10:43:31 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <200001290004.JAA14941@mail.geocities.co.jp>
References: <200001280901.CAA60307@harmony.village.org>
	<200001290004.JAA14941@mail.geocities.co.jp>
X-Mailer: Mew version 1.94.2pre8 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 29 Jan 2000 10:43:33 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000113(IM136)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6988
Subject: [doc-jp 6988] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:02.procfs
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Hiroki Sato <hrs@geocities.co.jp>:
> procfs $B$N(B SA $B$rLu$7$^$7$?!#(B

$B$Q$A$Q$A!#(B

>  * $BKAF,$,(B SA-00:01 $B$N$^$^$K$J$C$F$^$9$,!"86J8$N$^$^$G$9!#(B

$BK\Ev$@!#K\J8$NA0$KLuCm$rF~$l$F$*$/$H$h$$$G$7$g$&!#(B

>  * exploit code, local root compromise $B$OJQ$KLu$9$H(B
>    $B85$,2?$@$+$o$+$i$J$/$J$j$=$&$J$N$G$9$,!"DjLu$C$F$"$k$s$G$7$g$&$+(B?

$BIaCJ$O(B exploit code $B$C$F;H$C$F$$$k$J$!!#$^$!!"!V$3$N7g4Y$rMxMQ$9$k967b(B
$B%W%m%0%i%`!W$C$F$H$3$m$+$J!#(B

local root compromise $B$O!V%m!<%+%k$N(Broot($B8"8B(B)$B$,4m81$K$5$i$5$l$k!W$G(B
$B$$$$$s$8$c$J$$$+$J!#(B

> =============================================================================
> FreeBSD-SA-00:01                                            Security Advisory
$B!D(B $B$5$/$C$HN,(B $B!D(B
> $B%b%8%e!<%k(B:     make

$B$3$l$b(B 01 $B$N$r(B cut & paste $B$7$F$7$^$C$F$$$k$s$G$7$g$&!#$b$A$m$s@5$7$/(B
$B$O(B kernel $B$G$7$g$&!#:#2s$N%*%j%8%J%k$N$O$J$s$H$b$*AFKv$G$9$M(B :-<
$B$3$l$bLuCm$G(B kernel $B$G$"$k$3$H$r<($7$^$7$g$&!#(B

> I.   $BGX7J(B
> 
> procfs provides access to other processes memory spaces.  This is
> intended to be used in debugging and has many safeguards built into it
> to prevent abuse.
> 
> procfs $B$O(B, $B0[$J$k%W%m%;%9$N%a%b%j6u4V$X$N%"%/%;%9$rDs6!$9$k$b$N$G$9(B.
> $B$3$l$O%G%P%C%0$KMxMQ$5$l$k$3$H$r0U?^$7$?$b$N$G(B, $BMtMQ$K:]$7$F$$$/$D$b$N(B
> $BKI8n5!9=$,Hw$($i$l$F$$$^$9(B.

$B!VMtMQ$K:]$7$F!W"*!V0-MQ$rKI$0$?$a$K!W(B

> II.  $BLdBj$N2r@b(B
$B!D(B $B$5$/$C$HN,(B $B!D(B
> Unfortunately, throughout these three years it was still possible to
> abuse /proc/pid/mem in a similar, though more complicated fashion,
> which could lead to local root compromise.
> 
> $B$7$+$7$3$N(B 3 $BG/4V(B, $BIT9,$J$3$H$K(B, $B$=$l$H;w$?$5$i$KJ#;($J<jCJ$r(B
> $BMQ$$$F(B /proc/pid/mem $B$rMtMQ$7(B,
> $B%m!<%+%k$N(B root $B8"8B$r<hF@$9$k$3$H(B(local root compromise)$B$,(B,
> $B0MA3$H$7$F2DG=$J>uBV$K$J$C$F$$$^$7$?(B.

Unfortunately $B$O!V;DG0$J$,$i!W$NJ}$,<+A3$JLu$K$J$j$^$9!#(B
$B!VMtMQ!W"*!V0-MQ!W(B

> III. $B1F6A(B
> 
> Local users can gain root access.
> $B%m!<%+%k%f!<%6$K(B root $B8"8B$N<hF@$r2DG=$K$7$^$9(B.

$B!V%m!<%+%k%f!<%6!W$r<g8l$K$7$^$7$g$&!#(B

> Notice: Any patches in this document may not apply cleanly due to
>         modifications caused by digital signature or mailer software.
>         Please reference the URL listed at the top of this document
>         for original copies of all patches if necessary.

$B$3$3$bLu$7$^$7$g$&!#(B
----
$B$3$,$h$&$$$A$m$&(B
