FreeBSD devfs Device Disclosure jail(2) Bypass

2005-07-11T00:00:00
ID OSVDB:18123
Type osvdb
Reporter Ron van Daal(ronvdaal@zarathustra.linux666.com)
Modified 2005-07-11T00:00:00

Description

Vulnerability Description

The device file system (devfs) on FreeBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when devfs fails to sufficiently check parameters of the node type during device creation. This allows a malicious user to bypass devfs rulesets and access hidden device nodes on devfs mounted file systems within a jail. This flaw may lead to a loss of confidentiality, integrity and/or availability.

Solution Description

Upgrade to version 5-STABLE, or to the RELENG_5_4, or RELENG_5_3 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions.

It is also possible to correct the flaw by implementing the following workaround: unmount device file systems mounted inside jails.

Short Description

The device file system (devfs) on FreeBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when devfs fails to sufficiently check parameters of the node type during device creation. This allows a malicious user to bypass devfs rulesets and access hidden device nodes on devfs mounted file systems within a jail. This flaw may lead to a loss of confidentiality, integrity and/or availability.

Manual Testing Notes

Example:

jail# uname -a FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 rootharlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

The ethernet interface of the host (parent) is not in promiscious mode. The interface of the jailed environment isn't in promiscious mode either:

jail# ifconfig | grep fxp0 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

Now starting tcpdump in the jail:

jail# tcpdump -i fxp0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes

Checking the interface again within the jail:

jail# ifconfig | grep fxp0 fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

The interface is running in promiscious mode.

The host environment shows that the tcpdump process runs in a jail:

rootnietzsche# ps aux|grep tcpdump root 50551 0.0 0.9 3784 2248 p4 S+J 8:37PM 0:00.04 tcpdump - -i fxp0

The P_JAILED flag is set.

Conclusion:

Usage of devfs rulesets is highly recommended as stated in the manpages. Though a misconfiguration at this point would expose a big security issue. The question is: should bpfopen() in bpf.c check for a jailed proc or not?

Grt, Ron van Daal

References:

Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc Security Tracker: 1014536 Secunia Advisory ID:16145 Other Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0204.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0215.html Mail List Post: http://archives.neohapsis.com/archives/freebsd/2005-07/0029.html Mail List Post: http://archives.neohapsis.com/archives/freebsd/2005-07/0028.html Mail List Post: http://archives.neohapsis.com/archives/freebsd/2005-07/0030.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0218.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0216.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0214.html ISS X-Force ID: 21451 CVE-2005-2218 Bugtraq ID: 14334