|
|
|
|
| |
| Some of NetBSD's functions that implement execution of foreign binaries are using argument data in an unsafe manner, the implications of which are ranging from simple DoS against the entire system and even elevation of privileges. |
| |
Credit:
The information has been provided by NetBSD Security-Officer.
The original article can be found at: http://gleg.net/advisory_netbsd2.shtml
The original article can be found at: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-010.txt.asc
|
| |
Vulnerable Systems:
* NetBSD-current: source prior to Oct 27, 2004
* NetBSD version 1.6.x
* NetBSD version 1.5.x
Immune Systems:
* NetBSD current from Oct 28, 2004
* NetBSD version 2.0
* NetBSD version 2.0
* NetBSD version 1.6.3
Kernel syscall implementations must perform appropriate sanity checks on data passed from userland. The native system calls perform appropriate checks. However, the compatibility code responsible for execution of foreign binaries does not.
The issue was originally reported by Evgeny Demidov.
The compat subsystem, in /usr/src/sys/compat/*, allows NetBSD users to run binaries compiled for other operating systems which run on the same CPU architecture as the NetBSD host. Typically, the foreign OS supports a set of system calls which are very similar to NetBSD's. Native instructions do not need to be translated, but calls to the operating system do.
A binary's native OS is determined at exec() time. The kernel maps the syscall table for the native OS so that each syscall is delivered to a foreign OS -> NetBSD translation function, if needed. These translation functions reorder arguments, reformat them, perform mapping of constants (such as signal(3) IDs) and call the appropriate native NetBSD system call to service the application's needs.
Some of the translation functions performed unsafe operations using the syscall arguments, and were exploitable to cause kernel traps. Some of the flaws may be exploitable and result in privilege escalation.
All of these attacks require local access to the system. A system with only trusted user accounts is not immediately at risk. A system running a custom kernel with all 'options COMPAT_' commented out is not at risk.
Patch Availability:
The NetBSD 2.0 release already includes a fix for this issue. Users of the 1.6 branch are highly encouraged to upgrade to version 1.6.3.
Users of the 1.5 branch which is considered end-of-life are encouraged to upgrade to a newer version.
|
|
|
|
|
