From owner-freebsd-emulation Wed Apr 21 19:29:54 1999 Delivered-To: freebsd-emulation@freebsd.org Received: from gizmo.internode.com.au (gizmo.internode.com.au [192.83.231.115]) by hub.freebsd.org (Postfix) with ESMTP id 74CB015905 for ; Wed, 21 Apr 1999 19:29:08 -0700 (PDT) (envelope-from newton@gizmo.internode.com.au) Received: (from newton@localhost) by gizmo.internode.com.au (8.9.3/8.9.3) id LAA73515 for emulation@freebsd.org; Thu, 22 Apr 1999 11:56:38 +0930 (CST) (envelope-from newton) From: Mark Newton Message-Id: <199904220226.LAA73515@gizmo.internode.com.au> Subject: (AUSCERT ESB-1999.055) NetBSD Security Advisory 1999-009 - SVR4 compatibility device creation vulnerability (fwd) To: emulation@freebsd.org Date: Thu, 22 Apr 1999 11:56:38 +0930 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-emulation@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just FYI - The FreeBSD MAKDEV_SVR4 script is not vulnerable to this problem. - mark auscert@auscert.org.au wrote: > =========================================================================== > AUSCERT External Security Bulletin Redistribution > > ESB-1999.055 -- NetBSD Security Advisory 1999-009 > SVR4 compatibility device creation vulnerability > 22 April 1999 > > =========================================================================== > > The NetBSD Foundation, Inc. has released the following advisory concerning > a vulnerability in the i386 port of NetBSD with SVR4 emulation additionally > configured. This vulnerability may allow users to arbitrarily read or > write any data stored on the NetBSD portion of the first IDE disk > configured by the system. > > - --------------------------BEGIN INCLUDED TEXT-------------------- > > - -----BEGIN PGP SIGNED MESSAGE----- > > NetBSD Security Advisory 1999-009 > ================================= > > Topic: SVR4 compatibility device creation vulnerability > Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990420 > Severity: Local users can access and modify any data on first IDE disk > > > Abstract > ======== > > In order to provide a system environment capable of executing System V > Release 4 (`SVR4') binaries, it is necessary to create a set of device > special files; to simplify this task, a shell script is shipped with > the system. Due to a mismatch of device major numbers between NetBSD > platforms, one device special file is erroneously created with a wrong > major number, which may allow a regular user to arbitrarily read or > write any data stored on the NetBSD portion of the first IDE disk > configured by the system. > > This vulnerability is restricted to the i386 port of NetBSD with SVR4 > emulation additionally configured only. > > > Technical Details > ================= > > The SVR4 /dev/wabi character device special file, usually created > below the /emul/svr4 hierarchy, is currently supposed to be a synonym > for the /dev/null device special file. > > Originally developed on the sparc port of NetBSD, the SVR4_MAKEDEV > shell script creates this file with a major number of 3 and a minor > number of 2, setting these properties equivalent to those of the > /dev/null device special file on that platform. On the i386 port of > NetBSD, the character device major number 3 is associated with the > wd(4) driver, which supports IDE (and compatible) disks, and whose > minor number 2 denotes the NetBSD portion of the first such disk > configured by the systems; this corresponds to the special device file > /dev/rwd0c in the base distribution. As the /dev/wabi special device > file is created with world read and write permissions, a regular user > may read and write any data stored on that portion of the disk. > > The effects of actually running the WABI software on a vulnerable system > have not been investigated. > > > Solutions and Workarounds > ========================= > > A patch is available for the NetBSD 1.3.3 which makes the SVR4_MAKEDEV > shell script create the wabi device special file with the correct > properties. You may find this patch on the NetBSD ftp server: > > ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990419-SVR4_MAKEDEV > > NetBSD-current since 19990420 is not vulnerable. Users of > NetBSD-current should upgrade to a source tree later than 19990420. > > Once the SVR4_MAKEDEV script is updated, re-run it to recreate the > wabi device with the correct parameters. > > If this action cannot be taken, an immediate workaround is to remove > the existing device special file and creating a new one, which can be > done by executing the following shell command sequence as the super-user: > > # /bin/rm -f /emul/svr4/dev/wabi > # /sbin/mknod /emul/svr4/dev/wabi c 2 2 > # /bin/chmod u=rw,g=rw,o=rw /emul/svr4/dev/wabi > > > Thanks To > ========= > > The vulnerability was discovered by Klaus Klein , > who also provided the solution and authored this advisory. > > > Revision History > ================ > > 1999/04/17 - initial version > > 1999/04/19 - dates were incorrect > > > More Information > ================ > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > > Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. > > $NetBSD: NetBSD-SA1999-009.txt,v 1.2 1999/04/19 15:07:52 mrg Exp $ > > - -----BEGIN PGP SIGNATURE----- > Version: 2.6.3ia > Charset: noconv > > iQCVAwUBNxwkvz5Ru2/4N2IFAQEbuQQAtv2ho3MWYYihmZBagGnX6Wd0KD+mTIh0 > liV32yx46kVELmCGrS4pEQh3fBNNgYkYBjympKrC/Iy1Vj9DMAMBNLGedFu10yXT > oJnKLcmNmjEE8qRnqwjBRUIn/kURvG6wakgC9n6OuCOIcdtYeiUmgFhoPyl4lzKf > FRpxHkqZnLo= > =9Ypx > - -----END PGP SIGNATURE----- > > - --------------------------END INCLUDED TEXT-------------------- > > This security bulletin is provided as a service to AusCERT's members. As > AusCERT did not write the document quoted above, AusCERT has had no control > over its content. The decision to use any or all of this information is > the responsibility of each user or organisation, and should be done so in > accordance with site policies and procedures. > > NOTE: This is only the original release of the security bulletin. It will > not be updated when updates to the original are made. If downloading at > a later date, it is recommended that the bulletin is retrieved directly > from the original authors to ensure that the information is still current. > > Contact information for the authors of the original document is included > in the Security Bulletin above. If you have any questions or need further > information, please contact them directly. > > Previous advisories and external security bulletins can be retrieved from: > > http://www.auscert.org.au/Information/advisories.html > > If you believe that your system has been compromised, contact AusCERT or > your representative in FIRST (Forum of Incident Response and Security > Teams). > > Internet Email: auscert@auscert.org.au > Facsimile: (07) 3365 7031 > Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > AusCERT personnel answer during Queensland business hours > which are GMT+10:00 (AEST). > On call after hours for emergencies. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key > > iQCVAwUBNx8KWyh9+71yA2DNAQEqCwP+KAwhq2voC5WEWfAZn421sdWxNxNnK0ba > DGIa+sOFhbc4nbCHaGreooL7osssHx6RS1Z/NbMZwkw5oMZFzKGXBDY+NyPbvm42 > 2eIoba20PdNxdVh4FQbpmvaWbL+3IXkZVCxnMzecZMAIjWZWncVhBB98cq+Ifmp6 > KwLMvWKeKG4= > =8dqr > -----END PGP SIGNATURE----- ---- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82232999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-emulation" in the body of the message