|
|
|
|
| |
NCurses is a text-mode display library used for formatting the output of applications on a variety of terminals. It is externally maintained, contributed code that is included in FreeBSD by default.
Certain setuid/setgid software (including FreeBSD base system utilities and third party ports/packages) may be vulnerable to a local exploit yielding privileged access.
The /usr/bin/systat utility is known to be vulnerable to this problem in ncurses. At this time is unknown whether /usr/bin/top and /usr/sbin/lpc are also affected. |
| |
Credit:
The information has been provided by Jouko Pynnonen and FreeBSD Security Advisories.
|
| |
Vulnerable systems:
FreeBSD 5.0-CURRENT, 4.x prior to the correction date.
FreeBSD 3.x vulnerability status currently unconfirmed.
Corrected:
2000-10-11 (FreeBSD 4.1.1-STABLE)
There is an overflowable buffer in the libncurses library in the processing of cursor movement capabilities. An attacker can force a privileged application to use the attacker's termcap file containing a specially crafted terminal entry, which will trigger the vulnerability when the problematic ncurses code is called. This enables arbitrary code execution on the local system with the privileges of the exploited binary.
The systat utility included in the FreeBSD base system is known to use vulnerable ncurses routines. It runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges.
There may be other vulnerable applications included in the FreeBSD 4.x base system, but no others are confirmed to be vulnerable due to the difficulty in identifying a complete list of vulnerable ncurses functions. However, the following is a complete list of FreeBSD system binaries which link against ncurses and run with increased privileges. They may or may not be vulnerable to exploitation:
/usr/sbin/lpc
/usr/bin/top
/usr/bin/systat
FreeBSD 3.x and earlier versions use a very old, customized version of ncurses that is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x will not be updated to the newer version. At this stage, the vulnerability has not been confirmed in FreeBSD 3.x.
Workaround:
It is not feasible to reliably detect binaries that are vulnerable to the ncurses vulnerability, however the provided utility will scan for privileged binaries which use ncurses and which may potentially be vulnerable. Some of the binaries reported may not in fact be vulnerable, but should be recompiled anyway for maximum assurance of security.
Statically linked binaries that are identified as potentially vulnerable should be recompiled from source code if possible, after patching and recompiling libncurses, in order to correct the vulnerability. Dynamically linked binaries will be corrected by simply patching and recompiling libncurses as described below.
As an interim measure, consider removing any identified setuid or setgid binary, removing set[ug]id privileges from the file, or limiting the file access permissions, as appropriate.
Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit.
1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
E.g. with the fetch(1) command:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
Receiving scan_ncurses.sh (381 bytes): 100% 381 bytes transferred in 0.1 seconds (7.03 kBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
Receiving test_ncurses.sh (604 bytes): 100% 604 bytes transferred in 0.1 seconds (6.55 kBps)
2) Verify the md5 checksums and compare to the value below:
# md5 scan_ncurses.sh
MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
# md5 test_ncurses.sh
MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e
3) Run the scan_ncurses.sh script against your system:
# chmod a+x ./test_ncurses.sh
# sh scan_ncurses.sh ./test_ncurses.sh /
This will scan your entire system for setuid or setgid binaries that make use of the ncurses library. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges.
4) Remove the binaries, or reduce their file permissions, as appropriate.
Solution:
Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild. Then run the scan_ncurses.sh script as instructed in Workaround section and identify any statically-linked binaries as reported by the script. These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by simply recompiling the shared libncurses library).
To patch your present system: download the updated ncurses code from the below location, and execute the following commands as root:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc
# cd /usr/src
# tar xvfz /path/to/ncurses.tar.gz
# cd /usr/src/lib/libncurses
# make all
# make install
In contrast to the usual practice, a simple patch fixing the security vulnerability is not provided because the vendor did not make one available, and the updated ncurses snapshot which fixed the vulnerability contains numerous other changes whose purpose and relation to the fix was unclear.
|
|
|
|
|
