FreeBSD procfs Access Control Vulnerability
BID:2130
Info
FreeBSD procfs Access Control Vulnerability
| Bugtraq ID: | 2130 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 18 2000 12:00AM |
| Updated: | Dec 18 2000 12:00AM |
| Credit: | This vulnerability was discovered by Joost Pol <[email protected]> and Frank van Vliet <[email protected]>, and was announced in the FreeBSD Security Advisory issued to Bugtraq on December 18, 2000. |
| Vulnerable: |
FreeBSD FreeBSD 4.2 FreeBSD FreeBSD 4.1.1 FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 3.5.1 |
| Not Vulnerable: | |
Discussion
FreeBSD procfs Access Control Vulnerability
procfs is part of the FreeBSD Operating System, maintained by the FreeBSD Project. A problem exists which could allow a user to gain elevated privileges.
The problem occurs in the handling of access control in the /proc/<pid>/mem and /proc/<pid>/ctl files. These files provide access to process address space, making it possible to alter the operations of running processes. Abusing the weakness in /proc/<pid>/mem, one could fork() a process from a running process and use it to execute a setuid program. After the execution of the program, the user forking the process still retains read/write access to the memory space, and could use this for the execution of arbitrary code or commands. Therefore, it is possible for a user with malicious intent to abuse this weakness to gain elevated privileges, and potentially administrative privileges.
procfs is part of the FreeBSD Operating System, maintained by the FreeBSD Project. A problem exists which could allow a user to gain elevated privileges.
The problem occurs in the handling of access control in the /proc/<pid>/mem and /proc/<pid>/ctl files. These files provide access to process address space, making it possible to alter the operations of running processes. Abusing the weakness in /proc/<pid>/mem, one could fork() a process from a running process and use it to execute a setuid program. After the execution of the program, the user forking the process still retains read/write access to the memory space, and could use this for the execution of arbitrary code or commands. Therefore, it is possible for a user with malicious intent to abuse this weakness to gain elevated privileges, and potentially administrative privileges.
Exploit / POC
FreeBSD procfs Access Control Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
FreeBSD procfs Access Control Vulnerability
Solution:
It is also recommended by the FreeBSD Security Team that all affected users of the FreeBSD Operating System upgrade to a revision after the fix date, or apply one of the following patches to their source tree and rebuild the system from source:
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2
Solution:
It is also recommended by the FreeBSD Security Team that all affected users of the FreeBSD Operating System upgrade to a revision after the fix date, or apply one of the following patches to their source tree and rebuild the system from source:
FreeBSD FreeBSD 3.5.1
-
FreeBSD 3.5.1 procfs.3.5.1.patch.v1.1
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.3.5.1.p atch.v1.1
FreeBSD FreeBSD 4.1
-
FreeBSD 4.1 procfs.4.1.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.1.pat ch
FreeBSD FreeBSD 4.1.1
-
FreeBSD 4.1.1 procfs.4.1.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.1.pat ch
FreeBSD FreeBSD 4.2
-
FreeBSD 4.2 procfs.4.2.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.2.pat ch
References
FreeBSD procfs Access Control Vulnerability
References:
References: