146 lines
5 KiB
Text
146 lines
5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-13:06.mmap Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Privilege escalation via mmap
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2013-06-18
|
|
Credits: Konstantin Belousov
|
|
Alan Cox
|
|
Affects: FreeBSD 9.0 and later
|
|
Corrected: 2013-06-18 07:04:19 UTC (stable/9, 9.1-STABLE)
|
|
2013-06-18 07:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
|
|
CVE Name: CVE-2013-2171
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
|
|
|
0. Revision History
|
|
|
|
v1.0 2013-06-18 Initial release.
|
|
v1.1 2013-06-21 Corrected correction date.
|
|
Added workaround information.
|
|
|
|
I. Background
|
|
|
|
The FreeBSD virtual memory system allows files to be memory-mapped.
|
|
All or parts of a file can be made available to a process via its
|
|
address space. The process can then access the file using memory
|
|
operations rather than filesystem I/O calls.
|
|
|
|
The ptrace(2) system call provides tracing and debugging facilities by
|
|
allowing one process (the tracing process) to watch and control
|
|
another (the traced process).
|
|
|
|
II. Problem Description
|
|
|
|
Due to insufficient permission checks in the virtual memory system, a
|
|
tracing process (such as a debugger) may be able to modify portions of
|
|
the traced process's address space to which the traced process itself
|
|
does not have write access.
|
|
|
|
III. Impact
|
|
|
|
This error can be exploited to allow unauthorized modification of an
|
|
arbitrary file to which the attacker has read access, but not write
|
|
access. Depending on the file and the nature of the modifications,
|
|
this can result in privilege escalation.
|
|
|
|
To exploit this vulnerability, an attacker must be able to run
|
|
arbitrary code with user privileges on the target system.
|
|
|
|
IV. Workaround
|
|
|
|
Systems that do not allow unprivileged users to use the ptrace(2)
|
|
system call are not vulnerable, this can be accomplished by setting
|
|
the sysctl variable security.bsd.unprivileged_proc_debug to zero.
|
|
Please note that this will also prevent debugging tools, for instance
|
|
gdb, truss, procstat, as well as some built-in debugging facilities in
|
|
certain scripting language like PHP, etc., from working for unprivileged
|
|
users.
|
|
|
|
The following command will set the sysctl accordingly and works until the
|
|
next reboot of the system:
|
|
|
|
sysctl security.bsd.unprivileged_proc_debug=0
|
|
|
|
To make this change persistent across reboot, the system administrator
|
|
should also add the setting into /etc/sysctl.conf:
|
|
|
|
echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch
|
|
# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc
|
|
# gpg --verify mmap.patch.asc
|
|
|
|
b) Apply the patch.
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
3) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r251902
|
|
releng/9.1/ r251903
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing XXXXXX with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing XXXXXX with the revision number:
|
|
|
|
<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>
|
|
|
|
VII. References
|
|
|
|
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iEYEARECAAYFAlHExy0ACgkQFdaIBMps37L8PwCdGXatzPm7OWjZu+GmbbXQC16/
|
|
8sgAoJ0LEmREO8Mp7f4YcLHAEwgnJtjT
|
|
=WRZD
|
|
-----END PGP SIGNATURE-----
|