NetBSD: systrace Privilege escalation vulnerability
Posted by LinuxSecurity.com Team   
NetBSD A local user that is allowed to use /dev/systrace can obtain root access.

NetBSD Security Advisory 2004-007
		 =================================

Topic:		Systrace systrace_exit() local root

Version:	NetBSD-current:	source prior to Apr 16, 2004
		netBSD 2.0 branch:	source prior to Apr 16, 2004
		netBSD 1.6.2:	not affected
		NetBSD 1.6.1:	not affected
		NetBSD 1.6:	not affected
		NetBSD-1.5.3:	not affected
		NetBSD-1.5.2:	not affected
		NetBSD-1.5.1:	not affected
		NetBSD-1.5:	not affected

Severity:	local root exploit

Fixed:		NetBSD-current:		Apr 17, 2004
		NetBSD-2.0 branch:      Apr 17, 2004 (2.0 will include
							the fix)

Abstract
========

A local user that is allowed to use /dev/systrace can obtain root
access.



Technical Details
=================

systrace_exit() did not check if the connection to systrace was owned by
the super user, and would set euid to 0 on exit.


Solutions and Workarounds
=========================

*** Patching from sources:

The fix for this issue is contained in the one file,
sys/kern/kern_systrace.c 

The following table lists the fixed revisions and
dates of this file for each branch:

  CVS branch     revision     date
  -------------  -----------  ----------------
  HEAD           1.38         2004/04/17
  netbsd-2-0     1.37.2.1     2004/04/17

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P -r BRANCH sys/kern/sysv_shm.c
        # cd sys/arch/ARCH/conf
        # config KERNCONF
        # cd ../compile/KERNCONF
        # make depend;make
        # mv /netbsd /netbsd.old
        # cp netbsd /
        # reboot


* Binary Patch:

        Binary patches are being provided, in the form of replacement
        kernels built with the patches from the GENERIC kernel
        configuration. If you use a custom kernel configuration, these
        may not be suitable for you.

netbsd-current:

	Releng does not compile -current kernels during a release cycle.
	Users of -current are expected to be capable of upgrading from
	sources.


netbsd-2-0:

	Retreive a kernel from:

 	ftp://releng.netbsd.org/pub/NetBSD-daily/netbsd-2-0/DATE/ARCH/binary/kernel/

	Where DATE is any available DATE later than 2004-04-17


Thanks To
=========

Stefan Esser for detection and notification
Niels Provos for patches


Revision History
================

	2004-05-12	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.org/ and  http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-007.txt,v 1.2 2004/05/12 15:39:10 david Exp $