[UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw

From: SecuriTeam (support_at_securiteam.com)
Date: 07/05/04

  • Next message: SecuriTeam: "[NT] Internet Explorer Memory Corruption Bug" 
    To: list@securiteam.com
Date: 5 Jul 2004 14:10:47 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.linux-vserver.org/> Linux Virtual Server "extends the Linux
    kernel to provide the ability to run several virtual servers on a single
    host system. In contrast to other virtualization attempts Linux Virtual
    Server uses a split userland architecture under a single kernel to
    optimize sharing of all resources and reduce resource consumption overhead
    per VM to the absolute minimum". During a security audit on the vproc
    security scheme a permission sharing vulnerability was discovered.

    DETAILS

    Vulnerable Systems:
     * Linux Virtual Server version 1.27 and prior (Linux 2.4 stable branch)
     * Linux Virtual Server version 1.3.9 and prior (Linux 2.4 devel branch)
     * Linux Virtual Server version 1.9.1 and prior (Linux 2.6 devel branch)

    Immune Systems:
     * Linux Virtual Server version 1.28

    While auditing and experimenting with VServer procfs and vproc security
    Veit discovered a problem sharing permissions on the procfs mounted
    directories:

    Within any context users are still able to change permissions on /proc,
    both access permission and ownership. That is just fine as many people
    would like to restrict access to /proc to the root user or a group of
    trusted users.

    But as changes to a procfs mountpoint do not apply to the mountpoint
    itself but to procfs in general, these changes affect all contexts
    (VServers) and even the host system.

    All tests were done against the stable branch (1.2x) but regarding to
    Herbert Poetzl, the problem exists on both devel branches (1.3.x, 1.9.x),
    too.

    Version 1.28 (stable branch) resolves this problem.

    Exploitation:
    The vulnerability may be locally exploited in two ways:

    1. From within a virtual server a denial of service attack (DoS) may be
    provoked towards other virtual servers and the host system. By setting
    permissions that prevent users other than root to read information from
    procfs (i.e. process information) will disable a wide range of services.

    2. On systems where access to procfs is allowed to root only (or to a
    group of trusted users; i.e. shared hosting environments), an attacker may
    use access to another virtual server to gain critical information about
    processes or other data on the primary target virtual server (or the host
    system).

    Workaround:
    To work around this problem, procfs may be mounted read-only. On the
    host-system do:
    # mount -o remount,ro /proc

    As this also prevents the host system from changing any values in /proc,
    this should just be a temporary solution.

    Disclosure Timeline:
    2004-06-30 Vulnerability discovered
    2004-07-02 Vendor informed
    2004-07-03 First vendor response, confirmation
    2004-07-04 Official fix available, advisory release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cru@zodia.de> Veit Wahlich.
    The original article can be found at:
    <http://ircnet.de/article.shtml?vsproc>
    http://ircnet.de/article.shtml?vsproc

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Internet Explorer Memory Corruption Bug"

    Relevant Pages

    • [Full-Disclosure] OpenBSD procfs
      ... Deprotect Security Advisory 20041405 ... Kernel memory disclosure via procfs. ... Deprotect is a Swedish based security company divided into four divisions; ...
      (Full-Disclosure)
    • Re: OWA issue certain emails dont open
      ... permissions are correct and perhaps set the Default Virtual Server to use a ... > In looking into a problem with certain emails not opening I found it was ... > want to open up a major security hole just for the sake of it. ... I dont really understand the security ...
      (microsoft.public.exchange.admin)
    • Re: Microsoft Access Table Security
      ... convert the data and application to run from SQL server. ... server put the other apps on another virtual server and then ship it ... Database Projection and Security" and it looks like it might be able ...
      (microsoft.public.access.security)
    • Re: Site Layout - Suggestions
      ... The security is handled on a per site or per area level. ... > The client wants the advanced search facilities procided by SPPS 2003. ... > Would there be any advantage/disadvantage in creating a new virtual server ...
      (microsoft.public.sharepoint.portalserver)
    • Re: /proc directory
      ... > particularly concerned about security, in which case, you don't mount ... You're downplaying the security implications quite remarkably there: ... procfs has been the source of numerous local root vulnerabilities over ...
      (freebsd-questions)