-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2004-007 ================================= Topic: Systrace systrace_exit() local root Version: NetBSD-current: source prior to Apr 16, 2004 netBSD 2.0 branch: source prior to Apr 16, 2004 netBSD 1.6.2: not affected NetBSD 1.6.1: not affected NetBSD 1.6: not affected NetBSD-1.5.3: not affected NetBSD-1.5.2: not affected NetBSD-1.5.1: not affected NetBSD-1.5: not affected Severity: local root exploit Fixed: NetBSD-current: Apr 17, 2004 NetBSD-2.0 branch: Apr 17, 2004 (2.0 will include the fix) Abstract ======== A local user that is allowed to use /dev/systrace can obtain root access. Technical Details ================= systrace_exit() did not check if the connection to systrace was owned by the super user, and would set euid to 0 on exit. Solutions and Workarounds ========================= *** Patching from sources: The fix for this issue is contained in the one file, sys/kern/kern_systrace.c The following table lists the fixed revisions and dates of this file for each branch: CVS branch revision date ------------- ----------- ---------------- HEAD 1.38 2004/04/17 netbsd-2-0 1.37.2.1 2004/04/17 The following instructions describe how to upgrade your kernel binaries by updating your source tree and rebuilding and installing a new version of the kernel. In these instructions, replace: BRANCH with the appropriate CVS branch (from the above table) ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r BRANCH sys/kern/kern_systrace.c # cd sys/arch/ARCH/conf # config KERNCONF # cd ../compile/KERNCONF # make depend;make # mv /netbsd /netbsd.old # cp netbsd / # reboot * Binary Patch: Binary patches are being provided, in the form of replacement kernels built with the patches from the GENERIC kernel configuration. If you use a custom kernel configuration, these may not be suitable for you. netbsd-current: Releng does not compile -current kernels during a release cycle. Users of -current are expected to be capable of upgrading from sources. netbsd-2-0: Retrieve a kernel from: ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/ Where DATE is any available DATE later than 2004-04-17 Thanks To ========= Stefan Esser for detection and notification Niels Provos for patches Revision History ================ 2004-05-12 Initial release 2004-05-12 Filename typo noted by Jim Bernard More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2004-007.txt,v 1.4 2004/05/12 19:12:46 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (NetBSD) iQCVAwUBQKJ3QT5Ru2/4N2IFAQGnsgP9FbhzTLYP/eU/1cO/P5iKvaLZLvmRulNr MKBQWcxTC6eec8h9+mm0qdxZPTK6aC1B6uqQ1brCCAQpxUVTXpDEujuIKgNrXxNe Jvga+egFjjbChpsjG1aOc/5uWkfM+BCPW8a9Gg+kGts97ejKMmOKFjhDpNhH0eDw BQpdtvOP2o0= =4XAO -----END PGP SIGNATURE-----