From owner-doc-jp@jp.freebsd.org  Fri Sep  7 10:32:36 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id KAA55760;
	Fri, 7 Sep 2001 10:32:36 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sekine00.ee.noda.sut.ac.jp (sekine00.ee.noda.sut.ac.jp [133.31.107.40])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id KAA55755
	for <doc-jp@jp.freebsd.org>; Fri, 7 Sep 2001 10:32:35 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from localhost (sekine01.ee.noda.sut.ac.jp [133.31.107.43])
	by sekine00.ee.noda.sut.ac.jp (8.8.8+2.7Wbeta7/3.6W-12/10/97) with ESMTP id KAA09528
	for <doc-jp@jp.freebsd.org>; Fri, 7 Sep 2001 10:32:28 +0900 (JST)
Date: Fri, 07 Sep 2001 10:29:58 +0900 (JST)
Message-Id: <20010907.102958.71142536.hrs@eos.ocn.ne.jp>
To: doc-jp@jp.freebsd.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <20010907075429.89F1.ASATOH@pc.mycom.co.jp>
References: <20010907075429.89F1.ASATOH@pc.mycom.co.jp>
X-Mailer: Mew version 1.95b101 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: doc-jp 8375
Subject: [doc-jp 8375] Re: FreeBSD-SA-01:55
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@eos.ocn.ne.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

SATO Akihiro <asatoh@pc.mycom.co.jp> wrote
  in <20010907075429.89F1.ASATOH@pc.mycom.co.jp>:

asatoh> $B86J8$N%j%j!<%9$+$i>/!9F|$,3+$$$F$7$^$$$^$7$?$,!"(BSA-01:55$B$NK]Lu$G$9!#(B

 $B$"$&!"$4$a$s$J$5$$!#(B01:55 $B$r=P$7K:$l$F$^$7$?!#(B
 $BA0H>ItJ,$@$1=P$7$F$*$-$^$9$N$G::FI$N;29M$K$7$F$/$@$5$$!#(B

 $B$"$H(B 01:57, 59 $B$,<j85$K$"$j$^$9!#(B

  # $B$A$g$C$H:#%"%/%;%9$G$-$J$$$H$3$m$K$$$k$N$G(B
  # $B5"$C$?$i=P$7$^$9$M!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

($B$3$3$+$i(B)

I.   $BGX7J(B - Background

procfs is the process filesystem, which presents a filesystem
interface to the system process table, together with associated data.
procfs provides access to the memory space of processes via the
synthetic /proc/<pid>/mem file, subject to access control checks.

procfs $B$H$O(B, $B%7%9%F%`$N%W%m%;%9%F!<%V%k$*$h$S(B, $B$=$l$K4XO"$9$k%G!<%?$X$N(B
$B%U%!%$%k%7%9%F%`%$%s%?!<%U%'%$%9$rDs6!$9$k(B, $B%W%m%;%9%U%!%$%k%7%9%F%`$G$9(B.
procfs $B$G$O%W%m%;%9$N%a%b%j6u4V$X$N%"%/%;%9<jCJ$*$h$S(B, $B$=$N:]$N(B
$B%"%/%;%9@)8f%A%'%C%/$r(B /proc/<pid>/mem $B%U%!%$%k$rMQ$$$k$3$H$G<B8=$7$F$$$^$9(B.

linprocfs is an implementation of procfs which implements a
Linux-style procfs, for use with Linux binaries so they can obtain
access to exported kernel data.  It uses procfs to provide the
/proc/<pid>/mem file.

linprocfs $B$H$O(B Linux $BIw$N(B procfs $B$r<B8=$9$k$?$a$N(B procfs $B<BAu$N0l$D$G(B,
Linux $B%P%$%J%j$+$i(B export $B$5$l$?%+!<%M%k%G!<%?$K%"%/%;%9$G$-$k$h$&$K(B
$B$9$k$?$a$N$b$N$G$9(B.  $B$3$l$O(B /proc/<pid>/mem $B$rDs6!$9$k$?$a$K(B
procfs $B$r;H$C$F$$$^$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

Prior to the migration of system monitoring utilities (such as ps(8))
to use the sysctl(8) management interface, these utilities formerly
used procfs and direct kernel memory access to extract process
information, and they ran with the setgid kmem privilege to allow
direct kernel memory access.  The procfs code checks for gid kmem
privilege when granting access to the /proc/<pid>/mem file -- however,
the code which is used to allow read-only access via the kmem group
was incorrect, and inappropriately granted read access to the caller
as long as they already had an open file descriptor for the procfs mem
file.

(ps(8) $B$N$h$&$J(B) $B%7%9%F%`$N%b%K%?%j%s%0%f!<%F%#%j%F%#$O(B,
$B4IM}>pJs$X$N%"%/%;%9$K(B sysctl(8) $B$rMxMQ$9$k$h$&$KJQ99$5$l$k$^$G(B,
procfs $B$rMQ$$$F%+!<%M%k$N%a%b%j6u4V$+$iD>@\(B, $B%W%m%;%9>pJs$r(B
$BCj=P$7$F$$$^$7$?(B.  $B$^$?(B, $B$=$N$h$&$J%f!<%F%#%j%F%#$O(B 
$B%+!<%M%k$N%a%b%j6u4V$XD>@\%"%/%;%9$G$-$k$h$&$K$9$k$?$a(B,
kmem $B%0%k!<%W$G(B setgid $B$5$l$F$$$^$7$?(B.
procfs $B$N%3!<%I$O(B /proc/<pid>/mem $B%U%!%$%k$N%"%/%;%9$KBP$7$F(B
kmem $B%0%k!<%W8"8B$r;}$C$F$$$k$3$H$r%A%'%C%/$9$k$h$&$K$J$C$F$$$^$9(B.
$B$7$+$7(B kmem $B%0%k!<%W8"8B$GFI$_=P$7@lMQ%"%/%;%9$r5v2D$9$k%3!<%I$K(B
$B8m$j$,$"$j(B, open $B$5$l$?(B procfs mem $B%U%!%$%k$N%U%!%$%k5-=R;R$r(B
$B;}$C$F$$$l$P(B, ($BLuCm(B: kmem $B%0%k!<%W8"8B$r;}$C$F$$$J$$%W%m%;%9$+$i$G(B
$B$"$C$F$b(B) $BFI$_=P$7%"%/%;%9$rITE,@Z$K5v2D$7$F$7$^$$$^$9(B.

The result of this problem is that if a process initially has
debugging rights to a second process, it may retain access to the
target process' memory space, even if the target process has upgraded
privilege by virtue of performing an execve() call on a setuid or
setgid process.  This vulnerability can lead to the leaking of
sensitive information from such processes, which could be used as the
basis for additional attacks, resulting in escalation of attacker
privilege on the system.

$B$3$NLdBj$K$h$j(B, $B<!$N$h$&$J>u67$,H/@8$7$^$9(B.  $B$"$k%W%m%;%9$,(B
$B%G%P%C%0L\E*$G$b$&0l$D$N?7$7$$%W%m%;%9$r@8@.$9$k$h$&$J>l9g$r(B
$B9M$($F$_$F$/$@$5$$(B.  $B%G%P%C%0BP>]%W%m%;%9$,(B setuid/setgid $B$5$l$F$$$l$P(B,
$B$=$N%W%m%;%9$O(B execve() $B%7%9%F%`%3!<%k$K$h$C$F9b$$8"8B$rF@$^$9(B.
$B$7$+$7(B, $B%G%P%C%0BP>]%W%m%;%9$N%a%b%j6u4V$X%"%/%;%9$O(B, $B$3$N%W%m%;%9$,(B
$B9b$$8"8B$rF@$?8e$b2DG=$J$^$^$K$J$j$^$9(B.  $B$3$N%;%-%e%j%F%#>e$N<eE@$O(B,
$B$=$N%7%9%F%`>e$G9b$$8"8B$rF@$k$?$a$NFs<!E*$J967b$r2DG=$K$9$k$h$&$J(B,
$B=EMW$J>pJs$NO31L$N860x$H$J$k2DG=@-$,$"$j$^$9(B.

The linprocfs filesystem is also vulnerable to the problem if procfs
support is available in the kernel (statically compiled in, or
dynamically loaded as a module).  If procfs support is not available
then linprocfs is not vulnerable to this problem.

($B@EE*$K%3%s%Q%$%k$9$k$+(B, $B%b%8%e!<%k$H$7$FF0E*$K%m!<%I$9$k$3$H$G(B) $B%+!<%M%k$,(B
procfs $B$KBP1~$7$F$$$l$P(B, linprocfs $B%U%!%$%k%7%9%F%`$bF1MM$N<eE@$,B8:_$7$^$9(B.
$B$b$7(B procfs $B$,M-8z2=$5$l$F$$$J$1$l$P(B, linprocfs $B$K$3$NLdBj$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

All released versions of FreeBSD 4.x including FreeBSD 4.3-RELEASE are
vulnerable to this problem if the procfs filesystem is in use.  It was
corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE.

procfs $B%U%!%$%k%7%9%F%`$rM-8z2=$7$F$$$k(B FreeBSD 4.3-RELEASE $B$*$h$S(B
FreeBSD 4.x $B$N$9$Y$F$N%j%j!<%9$,(B, $B$3$NLdBj$N1F6A$r<u$1$^$9(B.
$B$3$NLdBj$O(B, $B8x3+M=Dj$N(B FreeBSD 4.4-RELEASE $B$N%j%j!<%9A0$K=$@5$5$l$^$7$?(B.


III. $B1F6AHO0O(B - Impact

Attackers may be able to extract sensitive system information, such as
password hashes from the /etc/master.passwd file, from setuid or
setgid processes, such as su(1).  This information could be used by
attackers to escalate their privileges, possibly yielding root
privileges on the local system.

$B967b<T$O(B su(1) $B$J$I$N(B setuid $B$b$7$/$O(B setgid $B$5$l$?%W%m%;%9$rMxMQ$7$F(B,
/etc/master.passwd $B%U%!%$%k$K$"$k%Q%9%o!<%I%O%C%7%e$H$$$C$?(B
$B=EMW$J%7%9%F%`>pJs$rIT@5$KF@$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.
$B$^$?967b<T$,$3$N>pJs$r;H$C$F$5$i$K9b$$8"8B(B, $B$?$H$($P(B
$B%m!<%+%k%7%9%F%`>e$N(B root $B8"8B$rF@$k$3$H$,$G$-$k4m81@-$,$"$j$^$9(B.

Because this attack may only be used on processes that initially are
"debuggable" by the attacking process, this attack is limited to
executed processes which gain privilege by virtue of being setuid or
setgid, and so it cannot be used against other processes which are
already running with privilege such as already-running daemons
containing sensitive system information.

$B$3$N967b$O(B, $B967bMQ%W%m%;%9$K$h$C$F!V@8@.;~$+$i%G%P%C%02DG=$K(B
$B$J$C$F$$$k!W%W%m%;%9$r;H$&$3$H$K$h$C$F$N$_<B8=2DG=$J$?$a(B,
$B1F6AHO0O$O(B setuid $B$d(B setgid $B$rMxMQ$7$F9b$$8"8B$rF@$k%W%m%;%9$K(B
$B@)8B$5$l$^$9(B.  $B=EMW$J%7%9%F%`>pJs$rJ];}$7$?<B9T>uBV$K$"$k%G!<%b%s$J$I(B,
$B9b$$8"8B$r;}$D4{B8$N%W%m%;%9$KBP$9$k4m81@-$O$"$j$^$;$s(B.
