NetBSD procfs allows root privileges

netbsd-procfs (3995)

High Risk

Description:

The proc filesystem (procfs) in BSD systems could allow a local attacker to trick a setuid binary into writing to the /proc/<pid>/mem file. The /proc/<pid> directory contains the resources for running processes, including the memory image of the process (mem). Users do not have permissions to read or write to this file. However, an attacker can bypass this restriction by using a setuid binary to write to the memory image of another process. By writing to the memory image of another setuid binary, an attacker can cause the binary to execute a shell.

Platforms Affected:

• FreeBSD, FreeBSD 3.0
• FreeBSD, FreeBSD 3.1
• FreeBSD, FreeBSD 3.2
• FreeBSD, FreeBSD 3.3
• FreeBSD, FreeBSD 3.4
• FreeBSD, FreeBSD 4.0
• NetBSD, NetBSD 1.4.1

Remedy:

For FreeBSD:
Apply the patch, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:02. See References.

For NetBSD:
Apply the patch, as listed in NetBSD Security Advisory NetBSD-SA2000-001. See References.

For OpenBSD:
Apply the patch, as listed in OpenBSD Security Advisory, Dec 18, 2000. See References.

Consequences:

Gain Privileges

References:

• BugTraq Mailing List, Fri Jan 21 2000 - 14:10:06 CST, *BSD procfs vulnerability at http://archives.neohapsis.com/archives/bugtraq/2000-01/0345.html.
• FreeBSD Security Advisory FreeBSD-SA-00:02, Old procfs hole incompletely filled at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:02.procfs.asc.
• NetBSD Security Advisory 2000-001, procfs security hole at ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-001.txt.asc.
• OpenBSD Security Advisory, Dec 18, 2000, Procfs contained numerous overflows, which could lead an intruder to root permissions. at http://www.openbsd.org/errata.html#procfs.
• BID-940: Multiple Vendor BSD /proc File Sytem Vulnerability
• CVE-2000-0094: procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr.
• OSVDB ID: 20760: Multiple BSD procfs /proc/[pid]/ setuid Binary Privileged Command Execution

Reported:

Feb 16, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page