SECURITY ALERT: FreeBSD Schwachstelle

[asg]

SECURITY ALERT

Wie eben bekannt wurde gibt es zwei Schwachstelle unter FreeBSD, die einen lokalen Angriff auf das System ermöglicht.

Schwachstelle 1

Was ist das Problem?
Lokale Benutzer können Angriffe auf das System durchführen. Das System kann in diesem Falle abstürzen, es können Speicherinhalte ausgelesen und manipuliert werden, oder der Angreifer kann auch beliebigen code unter Root-Rechten ausführen.

Was ist der Fehler?
Der Fehler steckt in der Signalerzeugung zu asynchronen Kommunikation mit anderen Prozessen. So können ungültige Signalnummern erzeugt werden. Diese falschen Signalnummer werden durch die fehlerhalte "ptrace()" Funktion oder auch den Videocapture Greätetreiber "spigot" hervorgerufen.

Betroffen Systeme?
Systemcrash:
alle Versionen bis 4.8-RELEASE-p1 und 5.1-RELEASE

Code ausführen (wenn die Kernel Option INVARIANTS nicht benutzt wird):
5.0-RELEASE
5.1-RELEASE

Was kann man tun?
Patches einspielen:
ftp://ftp.freebsd.org/pub/FreeBSD/CE...:09.signal.asc

Workaround für 5.x Version:
Kernel mit der Option INVARIANTS übersetzen (DoS Attacke bleibt dabei aber bestehen)


Schwachstelle 2

Was ist das Problem?
Ein Fehler im iBCS2-call-translator für die Funktion statfs() kann dem Benutzer ermöglichen einen Längeparamter zu manipulieren und zu übergeben.
Hierbei liefert die Funktion statfs() Informationen über gemountete Dateisysteme, wenn der Längenparameter nun grösser ist, können kritische Informationen des Kernel Speichers zurückgegeben werden (bsp. Daten anderer Sitzungen).

Betroffen Systeme?
Da iBCS2 nicht standardmäßig vom FreeBSD Kernel unterstützt wird, müsste schon das Modul geladen werden. Dann sind folgende Systeme betroffen:

bis einschl. FreeBSD 4.8-RELEASE-p2
FreeBSD 5.1-RELEASE-p1

Was kann man tun?
Entweder das Modul für iBCS2 deaktivieren.
Das Modul aktiviert lassen, dafür die aktuellen patches einspielen:
ftp://ftp.freebsd.org/pub/FreeBSD/CE...3:10.ibcs2.asc

Korrigierte Versionen (für beide Schwachstellen)
Hierbei anstatt des patches einen cvsup seiner aktuell laufenden Version machen und das gesammte System neu übersetzen.

2003-08-10 23:09:28 UTC (RELENG_4)
2003-08-10 23:14:08 UTC (RELENG_5_1)
2003-08-10 23:17:48 UTC (RELENG_5_0)
2003-08-10 23:19:35 UTC (RELENG_4_8)
2003-08-10 23:20:30 UTC (RELENG_4_7)
2003-08-10 23:21:18 UTC (RELENG_4_6)
2003-08-10 23:22:19 UTC (RELENG_4_5)
2003-08-10 23:23:05 UTC (RELENG_4_4)
2003-08-10 23:23:56 UTC (RELENG_4_3)


Komplette Mail des Security Teams von FreeBSD:

From "FreeBSD Security Advisories" <security-advisories@freebsd.org>
Subject [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:09.signal
Date Sun, August 10, 2003 8:57 pm
To "FreeBSD Security Advisories" <security-advisories@freebsd.org>

--------------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==================================================
===========================
FreeBSD-SA-03:09.signal Security Advisory
The FreeBSD Project

Topic: Insufficient range checking of signal numbers

Category: core
Module: sys
Announced: 2003-08-10
Affects: All releases of FreeBSD up to and including 4.8-RELEASE-p1,
5.1-RELEASE (but see `Problem Description' below)
FreeBSD 4-STABLE prior to the correction date
Corrected: 2003-08-10 23:09:28 UTC (RELENG_4)
2003-08-10 23:14:08 UTC (RELENG_5_1)
2003-08-10 23:17:48 UTC (RELENG_5_0)
2003-08-10 23:19:35 UTC (RELENG_4_8)
2003-08-10 23:20:30 UTC (RELENG_4_7)
2003-08-10 23:21:18 UTC (RELENG_4_6)
2003-08-10 23:22:19 UTC (RELENG_4_5)
2003-08-10 23:23:05 UTC (RELENG_4_4)
2003-08-10 23:23:56 UTC (RELENG_4_3)
FreeBSD only: YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

Signals are a UNIX mechanism for handling asynchronous events such as
pressing the terminal interrupt key (e.g. Ctrl-C), job control, memory
access violations, I/O completion, and many others. Each signal is
assigned a positive number. There are a number of mechanisms by which
a process may cause a signal to be sent, including using the kill(2)
system call or registering with certain device drivers.

II. Problem Description

Some mechanisms for causing a signal to be sent did not properly
validate the signal number, in some cases allowing the kernel to
attempt to deliver a negative or out-of-range signal number. Such
errors were present in the ptrace(2) system call and the `spigot'
video capture device driver.

The error in ptrace(2) was introduced in FreeBSD version 4.2-RELEASE
(4-STABLE dated Oct 26 04:34:41 2000 UTC).

The `spigot' device driver (including the error) was introduced in
FreeBSD 2.0.5. It has never been included in the kernel installed by
default, nor in the GENERIC kernel configuration. Only systems with
`device spigot' added to the kernel configuration are affected by this
instance of the error.

III. Impact

In most cases, attempted delivery of a negative or out-of-range signal
number will trigger an assertion failure and panic, thereby crashing
the system. A malicious local user could use this vulnerability
as a local denial-of-service attack.

However, in FreeBSD 5.x, the assertion code is not present if the
`INVARIANTS' kernel option is not used. In FreeBSD 5.0-RELEASE and
5.1-RELEASE, `INVARIANTS' is not enabled by default. In this
configuration, a malicious local user could use this vulnerability
to modify kernel memory, potentially leading to complete system
compromise. (FreeBSD 4.x is not vulnerable in this way.)

IV. Workaround

There is no workaround for the local denial-of-service attack.

The more severe impact, present only in FreeBSD 5.x systems, can be
avoided by uncommenting or adding the `INVARIANTS' line to your kernel
configuration:

options INVARIANTS #Enable calls of extra sanity checking

Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html>
and reboot the system.

NOTE WELL: This workaround is only for FreeBSD 5.x systems. This
workaround does not eliminate the possibility of a local
denial-of-service attack.

V. Solution

1) Upgrade your vulnerable system to 4.8-STABLE, or to any of the
RELENG_4_8 (4.8-RELEASE-p2), RELENG_4_7 (4.7-RELEASE-p12), or
RELENG_5_1 (5.1-RELEASE-p1) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.1-RELEASE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../signal51.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...nal51.patch.asc

[FreeBSD 5.0-RELEASE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../signal50.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...nal50.patch.asc

[FreeBSD 4.8-RELEASE, 4.8-STABLE, 4.7-STABLE dated Jan 2 20:39:13 2003 UTC
or later]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../signal4s.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...nal4s.patch.asc

[FreeBSD 4.3-RELEASE through 4.7-RELEASE, 4.7-STABLE dated before
Jan 2 20:39:13 2003 UTC]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../signal47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...nal47.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html>
and reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
src/sys/UPDATING
RELENG_5_1 1.251.2.2
RELENG_5_0 1.229.2.15
RELENG_4_8 1.73.2.80.2.4
RELENG_4_7 1.73.2.74.2.15
RELENG_4_6 1.73.2.68.2.43
RELENG_4_5 1.73.2.50.2.45
RELENG_4_4 1.73.2.43.2.46
RELENG_4_3 1.73.2.28.2.33
src/sys/conf/newvers.sh
RELENG_5_1 1.50.2.3
RELENG_5_0 1.48.2.10
RELENG_4_8 1.44.2.29.2.3
RELENG_4_7 1.44.2.26.2.14
RELENG_4_6 1.44.2.23.2.32
RELENG_4_5 1.44.2.20.2.29
RELENG_4_4 1.44.2.17.2.37
RELENG_4_3 1.44.2.14.2.23
src/sys/i386/isa/spigot.c
RELENG_4 1.44.2.1
RELENG_5_1 1.58.2.1
RELENG_5_0 1.55.2.1
RELENG_4_8 1.44.14.1
RELENG_4_7 1.44.12.1
RELENG_4_6 1.44.10.1
RELENG_4_5 1.44.8.1
RELENG_4_4 1.44.6.1
RELENG_4_3 1.44.4.1
src/sys/kern/sys_process.c
RELENG_4 1.51.2.7
RELENG_5_1 1.108.2.1
RELENG_5_0 1.104.2.1
RELENG_4_8 1.51.2.6.2.1
RELENG_4_7 1.51.2.4.2.1
RELENG_4_6 1.51.2.3.4.1
RELENG_4_5 1.51.2.3.2.1
RELENG_4_4 1.51.2.1.4.2
RELENG_4_3 1.51.2.1.2.2
src/sys/kern_sig.c
RELENG_5_1 1.239.2.1
RELENG_5_0 1.197.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

===========================================

From "FreeBSD Security Advisories" <security-advisories@freebsd.org>
Subject [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:10.ibcs2
Date Sun, August 10, 2003 8:57 pm
To "FreeBSD Security Advisories" <security-advisories@freebsd.org>

--------------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==================================================
===========================
FreeBSD-SA-03:10.ibcs2 Security Advisory
The FreeBSD Project

Topic: Kernel memory disclosure via ibcs2

Category: core
Module: sys
Announced: 2003-08-10
Credits: David Rhodus <drhodus@catpa.com>
Affects: All FreeBSD releases up to and including 4.8-RELEASE-p2,
5.1-RELEASE-p1
Corrected: 2003-08-10 23:30:18 UTC (RELENG_4)
2003-08-10 23:28:16 UTC (RELENG_5_1)
2003-08-10 23:29:10 UTC (RELENG_5_0)
2003-08-10 23:31:11 UTC (RELENG_4_8)
2003-08-10 23:31:51 UTC (RELENG_4_7)
2003-08-10 23:32:22 UTC (RELENG_4_6)
2003-08-10 23:32:44 UTC (RELENG_4_5)
2003-08-10 23:33:18 UTC (RELENG_4_4)
2003-08-10 23:33:50 UTC (RELENG_4_3)
2003-08-10 23:35:21 UTC (RELENG_3)
FreeBSD only: YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

FreeBSD contains a kernel option (IBCS2) and kernel loadable module
(ibcs2.ko) that provide system call translation for running Intel
Binary Compatibility Specification 2 (iBCS2) compliant programs.
It is not enabled in FreeBSD by default.

II. Problem Description

The iBCS2 system call translator for statfs(2) erroneously used the
user-supplied length parameter when copying a kernel data structure
into userland. If the length parameter were larger than required,
then instead of copying only the statfs-related data structure,
additional kernel memory would also be made available to the user.

III. Impact

If iBCS2 support were enabled, a malicious user could call the iBCS2
version of statfs(2) with an arbitrarily large length parameter,
causing the kernel to return a large portion of kernel memory. Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.

iBCS2 support is only present if the system administrator has enabled
it by including `option IBCS2' in the kernel configuration file, or
loaded it dynamically using kldload(8) or by setting `ibcs2_enable' in
rc.conf(5).

IV. Workaround

Disable iBCS2 support if it is enabled.

V. Solution

1) Upgrade your vulnerable system to 4.8-STABLE, or to any of the
RELENG_4_8 (4.8-RELEASE-p3), RELENG_4_7 (4.7-RELEASE-p13), or
RELENG_5_1 (5.1-RELEASE-p2) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility. The following patch
has been tested to apply to all FreeBSD 3.x, 4.x, and 5.x releases.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...:10/ibcs2.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...ibcs2.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html>
and reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
Branch
- -------------------------------------------------------------------------
src/UPDATING
RELENG_5_1 1.251.2.3
RELENG_5_0 1.229.2.16
RELENG_4_8 1.73.2.80.2.5
RELENG_4_7 1.73.2.74.2.16
RELENG_4_6 1.73.2.68.2.44
RELENG_4_5 1.73.2.50.2.46
RELENG_4_4 1.73.2.43.2.47
RELENG_4_3 1.73.2.28.2.34
src/sys/conf/newvers.sh
RELENG_5_1 1.50.2.4
RELENG_5_0 1.48.2.11
RELENG_4_8 1.44.2.29.2.4
RELENG_4_7 1.44.2.26.2.15
RELENG_4_6 1.44.2.23.2.33
RELENG_4_5 1.44.2.20.2.30
RELENG_4_4 1.44.2.17.2.38
RELENG_4_3 1.44.2.14.2.24
src/sys/i386/ibcs2/ibcs2_stat.c
RELENG_4 1.10.2.1
RELENG_5_1 1.21.2.1
RELENG_5_0 1.16.2.2
RELENG_4_8 1.10.14.1
RELENG_4_7 1.10.12.1
RELENG_4_6 1.10.10.1
RELENG_4_5 1.10.8.1
RELENG_4_4 1.10.6.1
RELENG_4_3 1.10.4.1
RELENG_3 1.8.2.1
- -------------------------------------------------------------------------

[buebo]

Ich liebe meinen GENERIC ;-)