Date: Thu, 20 Jun 2013 08:02:14 -0500 From: Bryan Drewery <bryan-lists@shatow.net> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap Message-ID: <51C2FD56.5010202@shatow.net> In-Reply-To: <20130618073224.3982D3728D@nine.des.no> References: <20130618073224.3982D3728D@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/18/2013 2:32 AM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-13:06.mmap Security Advisory > The FreeBSD Project > > Topic: Privilege escalation via mmap > > Category: core > Module: kernel > Announced: 2013-06-18 > Credits: Konstantin Belousov > Alan Cox > Affects: FreeBSD 9.0 and later > Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) > 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) > CVE Name: CVE-2013-2171 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > The FreeBSD virtual memory system allows files to be memory-mapped. > All or parts of a file can be made available to a process via its > address space. The process can then access the file using memory > operations rather than filesystem I/O calls. > > The ptrace(2) system call provides tracing and debugging facilities by > allowing one process (the tracing process) to watch and control > another (the traced process). > > II. Problem Description > > Due to insufficient permission checks in the virtual memory system, a > tracing process (such as a debugger) may be able to modify portions of > the traced process's address space to which the traced process itself > does not have write access. > > III. Impact > > This error can be exploited to allow unauthorized modification of an > arbitrary file to which the attacker has read access, but not write > access. Depending on the file and the nature of the modifications, > this can result in privilege escalation. > > To exploit this vulnerability, an attacker must be able to run > arbitrary code with user privileges on the target system. > > IV. Workaround > > No workaround is available. There is an exploit in the wild. If you have not patched yet you can disable ptrace(2) for unprivileged users. Note this disables ptrace, gdb, truss, etc for non-root. This will do it until the next reboot: sysctl security.bsd.unprivileged_proc_debug=0 This will permanently disable it. I recommend doing this as it avoids similar issues in the future: echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf service sysctl start You should still hastily patch/reboot your system though. -- Regards, Bryan Drewery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51C2FD56.5010202>