From owner-doc-jp@jp.freebsd.org  Sat Jan 29 18:58:53 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id SAA80799;
	Sat, 29 Jan 2000 18:58:53 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id SAA80794
	for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 18:58:53 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id SAA05258 for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 18:58:53 +0900 (JST)
Received: from mail.hrs.jp (sutkmax2-ppp06.ed.kagu.sut.ac.jp [133.31.177.72]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id SAA19557 for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 18:58:50 +0900 (JST)
Message-Id: <200001290958.SAA19557@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id SAA44561
	for <doc-jp@jp.freebsd.org>; Sat, 29 Jan 2000 18:58:37 +0900 (JST)
	(envelope-from hrs@hrs.jp)
In-Reply-To: <20000129014332.3252.qmail@smtp.246.ne.jp>
References: <200001280901.CAA60307@harmony.village.org>
	<200001290004.JAA14941@mail.geocities.co.jp>
	<20000129014332.3252.qmail@smtp.246.ne.jp>
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 29 Jan 2000 18:55:58 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 238
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6989
Subject: [doc-jp 6989] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:02.procfs
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

$B8m$j$NCm5-$r2C$($F!";XE&ItJ,$r=$@5$7$^$7$?!#(B

 # $BFC$KLdBj$,$J$$$h$&$G$7$?$i!"(Bannounce-jp $B$NJ}$K2s$7$^$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)

($B$3$3$+$i(B)------------------------------------------------------------

  $B$3$N%a!<%k$O(B announce-jp $B$KN.$l$?(B

Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs
From: FreeBSD Security Officer <security-officer@freebsd.org>
Date: Fri, 28 Jan 2000 02:01:36 -0700 (MST)
Message-Id: <200001280901.CAA60307@harmony.village.org>
X-Sequence: announce-jp 377

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B. 
  $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
$B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. 
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B. 

=============================================================================
FreeBSD-SA-00:01                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       Old procfs hole incompletely filled
$BJ,N`(B:           core
$B%b%8%e!<%k(B:     make
$B9pCNF|;~(B:       2000-01-24
$B1F6AHO0O(B:       $B=$@5F|0JA0$N$9$Y$F$N%P!<%8%g%s(B
$B=$@5F|;~(B:       2000-01-20
FreeBSD $B8GM-@-(B: NO

$B=$@5%Q%C%A(B:     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch

 ------------------------------------------------------------------------------
 [$BLuCm(B] $B$3$N4+9p$N86J8$K$O(B, $BKAF,$K8m$j$H;W$o$l$kItJ,$,$"$j$^$9$,(B,
        $BLuJ8$O86J8$=$N$^$^$NI=5-$K$J$C$F$$$^$9(B. $B0J2<$K(B, $B8m$j$H?dB,$5$l$k2U=j$H(B
        $B$=$ND{@5$r<($7$^$9(B($B$3$l$O86J8$K$*$1$k8x<0$J%"%J%&%s%9$G$O$"$j$^$;$s(B).

  $B8m(B) FreeBSD-SA-00:01
  $B@5(B) FreeBSD-SA-00:02

  $B8m(B) $B%b%8%e!<%k(B:     make
  $B@5(B) $B%b%8%e!<%k(B:     kernel
 ------------------------------------------------------------------------------
 
I.   $BGX7J(B

procfs provides access to other processes memory spaces.  This is
intended to be used in debugging and has many safeguards built into it
to prevent abuse.

procfs $B$O(B, $B0[$J$k%W%m%;%9$N%a%b%j6u4V$X$N%"%/%;%9$rDs6!$9$k$b$N$G$9(B.
$B$3$l$O%G%P%C%0$KMxMQ$5$l$k$3$H$r0U?^$7$?$b$N$G(B, $B0-MQ$rKI$0$?$a$K$$$/$D$b$N(B
$BKI8n5!9=$,Hw$($i$l$F$$$^$9(B.

II.  $BLdBj$N2r@b(B

In January 1997 a fatal flaw in *BSD procfs code (leading to a local
root compromise) was discussed on various security forums. The exploit
code dealt with /proc/pid/mem interface. Since then *BSD kernels
contained a simple fix which was meant to close this hole.

1997 $BG/(B 1 $B7n(B, ($B%m!<%+%k$N(B root $B8"8B$,C%$o$l$k860x$H$J$k(B)*BSD procfs $B%3!<%I$N(B
$BCWL?E*$J7g4Y$K$D$$$F(B, $B$5$^$6$^$J%;%-%e%j%F%#%U%)!<%i%`$G5DO@$5$l$^$7$?(B.
exploit $B%3!<%I(B($BLuCm(B: $B%;%-%e%j%F%#$N7g4Y$r0-MQ$9$k%3!<%I$N$3$H(B)$B$O(B,
/proc/pid/mem $B%$%s%?!<%U%'!<%9$rMxMQ$7$^$9(B. $B$=$l0J9_$N(B *BSD $B%+!<%M%k$K$O(B,
$B$3$N%;%-%e%j%F%#%[!<%kBP:v$N$?$a$N=$@5$,2C$($i$l$^$7$?(B.

Unfortunately, throughout these three years it was still possible to
abuse /proc/pid/mem in a similar, though more complicated fashion,
which could lead to local root compromise.

$B$7$+$7;DG0$J$,$i$3$N(B 3 $BG/4V(B, $B$=$l$H;w$?$5$i$KJ#;($J<jCJ$r(B
$BMQ$$$F(B /proc/pid/mem $B$r0-MQ$7(B, $B%m!<%+%k$N(B root $B8"8B$r(B
$BC%$&$3$H(B(local root compromise)$B$,(B, $B0MA3$H$7$F2DG=$J>uBV$K$J$C$F$$$^$7$?(B.

III. $B1F6A(B

Local users can gain root access.
$B%m!<%+%k%f!<%6$,(B root $B8"8B$rF@$k$3$H$,$G$-$^$9(B.

IV.  $BBP1~:v(B

You can unmount /proc.  In both 3.x-stable and 4.0-current this will
break truss and gcore.  In 3.x-stable systems only it will reduce the
amount of information ps reports.

/proc $B$r%"%s%^%&%s%H$9$k$3$H$GBP:v2DG=$G$9(B. $B$3$NA`:n$K$h$j(B, 
3.X-STABLE $B$*$h$S(B 4.0-CURRENT $B$NN>J}$K$*$$$F(B
truss(1) $B$H(B gcore(1) $B$,;HMQITG=$K$J$j$^$9(B.
$B$^$?(B, 3.X-STABLE $B$N$_(B, ps(1) $B$GI=<($5$l$k>pJs$,>/$J$/$J$j$^$9(B.

V.   $B=$@5=hCV(B

$B0J2<$N%Q%C%A$rE,MQ$7$F2<$5$$(B.

     Index: sys/filedesc.h
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/sys/filedesc.h,v
     retrieving revision 1.15.2.1
     diff -u -r1.15.2.1 filedesc.h
     --- filedesc.h	1999/08/29 16:32:22	1.15.2.1
     +++ filedesc.h	2000/01/20 21:39:29
     @@ -139,6 +139,7 @@
      int	fsetown __P((pid_t, struct sigio **));
      void	funsetown __P((struct sigio *));
      void	funsetownlst __P((struct sigiolst *));
     +void	setugidsafety __P((struct proc *p));
      #endif

      #endif
     Index: kern/kern_descrip.c
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v
     retrieving revision 1.58.2.3
     diff -u -r1.58.2.3 kern_descrip.c
     --- kern_descrip.c	1999/11/18 08:09:08	1.58.2.3
     +++ kern_descrip.c	2000/01/20 21:40:00
     @@ -984,6 +984,62 @@
      }

      /*
     + * For setuid/setgid programs we don't want to people to use that setuidness
     + * to generate error messages which write to a file which otherwise would
     + * otherwise be off limits to the proces.
     + *
     + * This is a gross hack to plug the hole.  A better solution would involve
     + * a special vop or other form of generalized access control mechanism.  We
     + * go ahead and just reject all procfs file systems accesses as dangerous.
     + *
     + * Since setugidsafety calls this only for fd 0, 1 and 2, this check is
     + * sufficient.  We also don't for setugidness since we know we are.
     + */
     +static int
     +is_unsafe(struct file *fp)
     +{
     +	if (fp->f_type == DTYPE_VNODE && 
     +	    ((struct vnode *)(fp->f_data))->v_tag == VT_PROCFS)
     +		return (1);
     +	return (0);
     +}
     +
     +/*
     + * Make this setguid thing safe, if at all possible.
     + */
     +void
     +setugidsafety(p)
     +	struct proc *p;
     +{
     +	struct filedesc *fdp = p->p_fd;
     +	struct file **fpp;
     +	char *fdfp;
     +	register int i;
     +
     +	/* Certain daemons might not have file descriptors. */
     +	if (fdp == NULL)
     +		return;
     +
     +	fpp = fdp->fd_ofiles;
     +	fdfp = fdp->fd_ofileflags;
     +	for (i = 0; i <= fdp->fd_lastfile; i++, fpp++, fdfp++) {
     +		if (i > 2)
     +			break;
     +		if (*fpp != NULL && is_unsafe(*fpp)) {
     +			if (*fdfp & UF_MAPPED)
     +				(void) munmapfd(p, i);
     +			(void) closef(*fpp, p);
     +			*fpp = NULL;
     +			*fdfp = 0;
     +			if (i < fdp->fd_freefile)
     +				fdp->fd_freefile = i;
     +		}
     +	}
     +	while (fdp->fd_lastfile > 0 && fdp->fd_ofiles[fdp->fd_lastfile] == NULL)
     +		fdp->fd_lastfile--;
     +}
     +
     +/*
       * Close any files on exec?
       */
      void
     Index: kern/kern_exec.c
     ===================================================================
     RCS file: /base/FreeBSD-CVS/src/sys/kern/kern_exec.c,v
     retrieving revision 1.93.2.3
     diff -u -r1.93.2.3 kern_exec.c
     --- kern_exec.c	1999/08/29 16:25:58	1.93.2.3
     +++ kern_exec.c	2000/01/20 21:39:29
     @@ -281,6 +281,7 @@
		     if (attr.va_mode & VSGID)
			     p->p_ucred->cr_gid = attr.va_gid;
		     setsugid(p);
     +		setugidsafety(p);
	     } else {
		     if (p->p_ucred->cr_uid == p->p_cred->p_ruid &&
			 p->p_ucred->cr_gid == p->p_cred->p_rgid)

VI.  $B%/%l%8%C%H(B

We are republishing a heavily edited FEAR security advisory (number 1)
entitled "*BSD procfs vulnerability".  More information about FEAR can
be found at http://www.fear.pl.  We would like to thank
nergal@idea.avet.com.pl for sending a preliminary version of the
advisory to us in time to correct the problem.

$B;d$?$A(B(Security Officer Team)$B$O(B, "*BSD procfs vulnerability" $B$H$$$&(B
FEAR $B%;%-%e%j%F%#4+9p(B(No.1)$B$rJT=8$7(B, $B:FH/9T$7$F$$$^$9(B.
FEAR $B$K4X$9$k>\:Y$O(B, http://www.fear.pl $B$r$4Mw2<$5$$(B.
$BLdBj$r=$@5$9$k$?$a(B, $B$3$N4+9p$N;CDjHG$rAw$C$F$/$l$?(B
nergal@idea.avet.com.pl $B$K46<U$7$^$9(B.

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf4^$^$l$k%Q%C%A$O(B, $BEE;R=pL>$d%a%$%i$N=hM}$K$h$C$F(B
      $B2C$($i$l$kJQ99$,860x$G(B, $B$=$N$^$^$G$OE,MQ$G$-$J$$>l9g$,(B
      $B$"$j$^$9(B. $BI,MW$G$"$l$P(B, $BK\J8=q$NKAF,$K5-:\$7$F$"$k(B URL $B$r;2>H$7$F(B
      $B%*%j%8%J%k$N%3%T!<$rF~<j$7$F$/$@$5$$(B.
=============================================================================
