NetBSD P_SUGID Flag ptrace() Check Bypass

2005-11-01T00:00:00
ID OSVDB:20759
Type osvdb
Reporter Christos Zoulas(), Tavis Ormandy(taviso@google.com)
Modified 2005-11-01T00:00:00

Description

Vulnerability Description

NetBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious attacker uses exec() to spawn a replacement process that can defeat ptrace()'s check on P_SUGID. This flaw will allow debugger attachment to the replacement process, leading to a loss of integrity.

Technical Description

This vulnerability only manifests if the processes are running with alternate privileges gained from setuid and setgid executables.

Solution Description

Upgrade to version 2.1 after the correction date or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds: mount filesystems with the nosuid option, or remove setuid bits or general user access from setuid programs. These workarounds are likely to affect required functionality.

Short Description

NetBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious attacker uses exec() to spawn a replacement process that can defeat ptrace()'s check on P_SUGID. This flaw will allow debugger attachment to the replacement process, leading to a loss of integrity.

References:

Vendor Specific Advisory URL Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0157.html CVE-2005-4741 Bugtraq ID: 15290