NetBSD on VAX ptrace Call PSL Content Modification

1999-12-12T00:00:00
ID OSVDB:7573
Type osvdb
Reporter Klaus Klein(kleink@netbsd.org)
Modified 1999-12-12T00:00:00

Description

Vulnerability Description

NetBSD on VAX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user constructs a wrapper program using the ptrace system call that can modify the hardware privileges of a process. This flaw may lead to a loss of integrity.

Technical Description

A ptrace(2) debugging process can modify internal registers, including the status (PSL) register, for a process being debugged. VAX hardware stores information about privilege levels and used stacks in PSL. Those flags can only be altered via the instruction REI (return from interrupt) or LDPCTX (load process context) and cannot be modified while running in "user" mode.

When PSL contents are altered by the debugging process, the debugged process is in the kernel, and will get the privileges defined by PSL when it REI to userspace to continue execution.

Solution Description

Upgrade to version NetBSD-current, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: apply machdep.c patch.

Short Description

NetBSD on VAX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user constructs a wrapper program using the ptrace system call that can modify the hardware privileges of a process. This flaw may lead to a loss of integrity.

References:

Vendor Specific Advisory URL ISS X-Force ID: 3994 CVE-2000-0157 Bugtraq ID: 992