| Topic: |
Systrace systrace_exit() local root |
|
|
| Version: |
NetBSD-current: source prior to Apr 16, 2004
netBSD 2.0 branch: source prior to Apr 16, 2004
netBSD 1.6.2: not affected
NetBSD 1.6.1: not affected
NetBSD 1.6: not affected
NetBSD-1.5.3: not affected
NetBSD-1.5.2: not affected
NetBSD-1.5.1: not affected
NetBSD-1.5: not affected |
| Severity: |
local root exploit |
| Fixed: |
NetBSD-current: Apr 17, 2004
NetBSD-2.0 branch: Apr 17, 2004 (2.0 will include the fix) |
Abstract
A local user that is allowed to use /dev/systrace can obtain root
access.
Technical Details
systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.
Solutions and Workarounds
*** Patching from sources:
The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c
The following table lists the fixed revisions and
dates of this file for each branch:
CVS branch revision
date
------------- ----------- ----------------
HEAD
1.38 2004/04/17
netbsd-2-0 1.37.2.1
2004/04/17
The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:
BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r BRANCH sys/kern/kern_systrace.c
# cd sys/arch/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make
# mv /netbsd /netbsd.old
# cp netbsd /
# reboot
* Binary Patch:
Binary patches are being provided, in the form of replacement
kernels built with the patches from the GENERIC kernel
configuration. If you use a custom kernel configuration, these
may not be suitable for you.
netbsd-current:
Releng does not compile -current kernels during a release cycle.
Users of -current are expected to be capable of upgrading from
sources.
netbsd-2-0:
Retrieve a kernel from:
ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/
Where DATE is any available DATE later than 2004-04-17
Thanks To
Stefan Esser for detection and notification
Niels Provos for patches
Revision History
2004-05-12 Initial release
2004-05-12 Filename typo noted by Jim Bernard
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/
and
http://www.NetBSD.org/Security/ .
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form. |
Security Advisory 
Postfix - "Krok po kroku" v1.1
sdi.sh
uEagle 1.0p1
