-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:55                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          procfs vulnerability leaks set[ug]id process memory

Category:       core
Module:         procfs
Announced:      2001-08-21
Credits:        Joost Pol <joost@contempt.nl>
Affects:        FreeBSD 4.x, 4.3-STABLE prior to the correction
                date.
Corrected:      2001-08-12 07:29 PDT (4.3-STABLE)
                2001-08-13 12:45 PDT (RELENG_4_3)
FreeBSD only:   Yes

I.   Background

procfs is the process filesystem, which presents a filesystem
interface to the system process table, together with associated data.
procfs provides access to the memory space of processes via the
synthetic /proc/<pid>/mem file, subject to access control checks.

linprocfs is an implementation of procfs which implements a
Linux-style procfs, for use with Linux binaries so they can obtain
access to exported kernel data.  It uses procfs to provide the
/proc/<pid>/mem file.

II.  Problem Description

Prior to the migration of system monitoring utilities (such as ps(8))
to use the sysctl(8) management interface, these utilities formerly
used procfs and direct kernel memory access to extract process
information, and they ran with the setgid kmem privilege to allow
direct kernel memory access.  The procfs code checks for gid kmem
privilege when granting access to the /proc/<pid>/mem file -- however,
the code which is used to allow read-only access via the kmem group
was incorrect, and inappropriately granted read access to the caller
as long as they already had an open file descriptor for the procfs mem
file.

The result of this problem is that if a process initially has
debugging rights to a second process, it may retain access to the
target process' memory space, even if the target process has upgraded
privilege by virtue of performing an execve() call on a setuid or
setgid process.  This vulnerability can lead to the leaking of
sensitive information from such processes, which could be used as the
basis for additional attacks, resulting in escalation of attacker
privilege on the system.

The linprocfs filesystem is also vulnerable to the problem if procfs
support is available in the kernel (statically compiled in, or
dynamically loaded as a module).  If procfs support is not available
then linprocfs is not vulnerable to this problem.

All released versions of FreeBSD 4.x including FreeBSD 4.3-RELEASE are
vulnerable to this problem if the procfs filesystem is in use.  It was
corrected prior to the (forthcoming) release of FreeBSD 4.4-RELEASE.

III. Impact

Attackers may be able to extract sensitive system information, such as
password hashes from the /etc/master.passwd file, from setuid or
setgid processes, such as su(1).  This information could be used by
attackers to escalate their privileges, possibly yielding root
privileges on the local system.

Because this attack may only be used on processes that initially are
"debuggable" by the attacking process, this attack is limited to
executed processes which gain privilege by virtue of being setuid or
setgid, and so it cannot be used against other processes which are
already running with privilege such as already-running daemons
containing sensitive system information.

IV. Workaround

To work around the problem, perform the following steps as root:

Unmount all instances of the procfs and linprocfs filesystems using
the unmount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

Disable the automatic mounting of all instances of procfs in /etc/fstab:
remove or comment out the line(s) of the following form:

proc			/proc		procfs	rw	0	0
proc			/compat/linux/proc linprocfs rw	0	0

V. Solution

1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3
security branch, dated after the respective correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:55/procfs.patch.asc

Verify the detached PGP signature using your PGP utility.

This patch has been verified to apply to FreeBSD 4.3-RELEASE and
4.2-RELEASE (users of 4.2-RELEASE should already have the patch from
FreeBSD SA-00:77.procfs installed).  It may or may not apply to older,
unsupported releases of FreeBSD.

# cd /usr/src/sys
# patch -p < /path/to/patch

If procfs is statically compiled into the kernel (i.e. the kernel
configuration file contains the line 'options PROCFS'), then rebuild
and reinstall your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system with the new kernel for the changes to take effect.  By default
procfs is statically compiled in the GENERIC kernel configuration.

If procfs is dynamically loaded by KLD (use the kldstat(8) command to
verify whether this is the case) and the system securelevel has not
been raised to a level of 1 or higher, the system can be patched at
run-time without requiring a reboot by performing the following steps
after patching the source as described above:

# cd /usr/src/sys/modules/procfs
# make depend
# make all install
# umount -f -a -t procfs
# kldunload procfs
# kldload procfs
# mount -a -t procfs

3) FreeBSD 4.3-RELEASE systems:

An experimental upgrade package is available for users who wish to
provide testing and feedback on the binary upgrade process.  This
package may be installed on FreeBSD 4.3-RELEASE systems only, and is
intended for use on systems for which source patching is not practical
or convenient.

If you use the upgrade package, feedback (positive or negative) to
security-officer@FreeBSD.org is requested so we can improve the
process for future advisories.

During the installation procedure, backup copies are made of the
files which are replaced by the package.  These backup copies will
be reinstalled if the package is removed, reverting the system to a
pre-patched state.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:55/security-patch-procfs-01.55.tgz.asc

Verify the detached PGP signature using your PGP utility.

# pkg_add security-patch-procfs-01.55.tgz

Restart your system after applying the patch.

VI.  CVS Revisions

The following $FreeBSD$ CVS revisions contain the fixes for this
vulnerability.  The $FreeBSD$ revision of installed sources can be
examined using the ident(1) command.  These revision IDs are not
updated by applying the patch referenced above.

[FreeBSD 4.3-STABLE]

  Revision  Path
  1.3.2.5   src/sys/i386/linux/linprocfs/linprocfs_vnops.c
  1.32.2.2  src/sys/miscfs/procfs/procfs.h
  1.46.2.2  src/sys/miscfs/procfs/procfs_mem.c
  1.76.2.5  src/sys/miscfs/procfs/procfs_vnops.c

[RELENG_4_3]

  Revision      Path
  1.3.2.3.2.1   src/sys/i386/linux/linprocfs/linprocfs_vnops.c
  1.32.2.1.2.1  src/sys/miscfs/procfs/procfs.h
  1.46.2.1.2.1  src/sys/miscfs/procfs/procfs_mem.c
  1.76.2.3.2.1  src/sys/miscfs/procfs/procfs_vnops.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO4LGfFUuHi5z0oilAQGvFAP9Es3OpWi/tolP9Kfbw3+EWCfGupQ9QMtP
xTKwwmp8epr+So1x+bHNaXBdGm5DJq4fvqUOh5kUHkNM5Gfkp2gPPwWXB9J6Ct3e
ut3nUlJBeY8K+qV8DGdH4/InuW4HG+Jvw0WSGCmTZnz6q17K0ESJXp2cS5qB7eeL
/66o9YNotkE=
=FHFP
-----END PGP SIGNATURE-----