-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:55 Security Advisory FreeBSD, Inc. Topic: procfs vulnerability leaks set[ug]id process memory Category: core Module: procfs Announced: 2001-08-21 Credits: Joost Pol Affects: FreeBSD 4.x, 4.3-STABLE prior to the correction date. Corrected: 2001-08-12 07:29 PDT (4.3-STABLE) 2001-08-13 12:45 PDT (RELENG_4_3) FreeBSD only: Yes I. Background procfs is the process filesystem, which presents a filesystem interface to the system process table, together with associated data. procfs provides access to the memory space of processes via the synthetic /proc//mem file, subject to access control checks. linprocfs is an implementation of procfs which implements a Linux-style procfs, for use with Linux binaries so they can obtain access to exported kernel data. It uses procfs to provide the /proc//mem file. II. Problem Description Prior to the migration of system monitoring utilities (such as ps(8)) to use the sysctl(8) management interface, these utilities formerly used procfs and direct kernel memory access to extract process information, and they ran with the setgid kmem privilege to allow direct kernel memory access. The procfs code checks for gid kmem privilege when granting access to the /proc//mem file -- however, the code which is used to allow read-only access via the kmem group was incorrect, and inappropriately granted read access to the caller as long as they already had an open file descriptor for the procfs mem file. The result of this problem is that if a process initially has debugging rights to a second process, it may retain access to the target process' memory space, even if the target process has upgraded privilege by virtue of performing an execve() call on a setuid or setgid process. This vulnerability can lead to the leaking of sensitive information from such processes, which could be used as the basis for additional attacks, resulting in escalation of attacker privilege on the system. The linprocfs filesystem is also vulnerable to the problem if procfs support is available in the kernel (statically compiled in, or dynamically loaded as a module). If procfs support is not available then linprocfs is not vulnerable to this problem. All released versions of FreeBSD 4.x including FreeBSD 4.3-RELEASE are vulnerable to this problem if the procfs filesystem is in use. It was corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE. III. Impact Attackers may be able to extract sensitive system information, such as password hashes from the /etc/master.passwd file, from setuid or setgid processes, such as su(1). This information could be used by attackers to escalate their privileges, possibly yielding root privileges on the local system. Because this attack may only be used on processes that initially are "debuggable" by the attacking process, this attack is limited to executed processes which gain privilege by virtue of being setuid or setgid, and so it cannot be used against other processes which are already running with privilege such as already-running daemons containing sensitive system information. IV. Workaround To work around the problem, perform the following steps as root: Unmount all instances of the procfs and linprocfs filesystems using the unmount(8) command: # umount -f -a -t procfs # umount -f -a -t linprocfs Disable the automatic mounting of all instances of procfs in /etc/fstab: remove or comment out the line(s) of the following form: proc /proc procfs rw 0 0 proc /compat/linux/proc linprocfs rw 0 0 V. Solution 1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 security branch, dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to FreeBSD 4.3-RELEASE and 4.2-RELEASE (users of 4.2-RELEASE should already have the patch from FreeBSD SA-00:77.procfs installed). It may or may not apply to older, unsupported releases of FreeBSD. # cd /usr/src/sys # patch -p < /path/to/patch If procfs is statically compiled into the kernel (i.e. the kernel configuration file contains the line 'options PROCFS'), then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. By default procfs is statically compiled in the GENERIC kernel configuration. If procfs is dynamically loaded by KLD (use the kldstat(8) command to verify whether this is the case) and the system securelevel has not been raised to a level of 1 or higher, the system can be patched at run-time without requiring a reboot by performing the following steps after patching the source as described above: # cd /usr/src/sys/modules/procfs # make depend # make all install # umount -f -a -t procfs # kldunload procfs # kldload procfs # mount -a -t procfs 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-procfs-01.55.tgz Restart your system after applying the patch. VI. CVS Revisions The following $FreeBSD$ CVS revisions contain the fixes for this vulnerability. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. These revision IDs are not updated by applying the patch referenced above. [FreeBSD 4.3-STABLE] Revision Path 1.3.2.5 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.2 src/sys/miscfs/procfs/procfs.h 1.46.2.2 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.5 src/sys/miscfs/procfs/procfs_vnops.c [RELENG_4_3] Revision Path 1.3.2.3.2.1 src/sys/i386/linux/linprocfs/linprocfs_vnops.c 1.32.2.1.2.1 src/sys/miscfs/procfs/procfs.h 1.46.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c 1.76.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4LGfFUuHi5z0oilAQGvFAP9Es3OpWi/tolP9Kfbw3+EWCfGupQ9QMtP xTKwwmp8epr+So1x+bHNaXBdGm5DJq4fvqUOh5kUHkNM5Gfkp2gPPwWXB9J6Ct3e ut3nUlJBeY8K+qV8DGdH4/InuW4HG+Jvw0WSGCmTZnz6q17K0ESJXp2cS5qB7eeL /66o9YNotkE= =FHFP -----END PGP SIGNATURE-----