[UNIX] NetBSD Binary Compatibility Code Insufficient Argument Validation

From: SecuriTeam (support_at_securiteam.com)
Date: 12/29/04 

To: list@securiteam.com
Date: 29 Dec 2004 16:41:57 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  NetBSD Binary Compatibility Code Insufficient Argument Validation
------------------------------------------------------------------------

SUMMARY

Some of NetBSD's functions that implement execution of foreign binaries
are using argument data in an unsafe manner, the implications of which are
ranging from simple DoS against the entire system and even elevation of
privileges.

DETAILS

Vulnerable Systems:
 * NetBSD-current: source prior to Oct 27, 2004
 * NetBSD version 1.6.x
 * NetBSD version 1.5.x

Immune Systems:
 * NetBSD current from Oct 28, 2004
 * NetBSD version 2.0
 * NetBSD version 2.0
 * NetBSD version 1.6.3

Kernel syscall implementations must perform appropriate sanity checks on
data passed from userland. The native system calls perform appropriate
checks. However, the compatibility code responsible for execution of
foreign binaries does not.

The issue was originally reported by Evgeny Demidov.

The compat subsystem, in /usr/src/sys/compat/*, allows NetBSD users to run
binaries compiled for other operating systems which run on the same CPU
architecture as the NetBSD host. Typically, the foreign OS supports a set
of system calls which are very similar to NetBSD's. Native instructions do
not need to be translated, but calls to the operating system do.

A binary's native OS is determined at exec() time. The kernel maps the
syscall table for the native OS so that each syscall is delivered to a
foreign OS -> NetBSD translation function, if needed. These translation
functions reorder arguments, reformat them, perform mapping of constants
(such as signal(3) IDs) and call the appropriate native NetBSD system call
to service the application's needs.

Some of the translation functions performed unsafe operations using the
syscall arguments, and were exploitable to cause kernel traps. Some of the
flaws may be exploitable and result in privilege escalation.

All of these attacks require local access to the system. A system with
only trusted user accounts is not immediately at risk. A system running a
custom kernel with all 'options COMPAT_' commented out is not at risk.

Patch Availability:
The NetBSD 2.0 release already includes a fix for this issue. Users of the
1.6 branch are highly encouraged to upgrade to version 1.6.3.

Users of the 1.5 branch which is considered end-of-life are encouraged to
upgrade to a newer version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security-officer@netbsd.org>
NetBSD Security-Officer.
The original article can be found at:
<http://gleg.net/advisory_netbsd2.shtml>
http://gleg.net/advisory_netbsd2.shtml
The original article can be found at:
<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-010.txt.asc> ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-010.txt.asc

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] NetBSD Kernel swapctl(2) DoS Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There exists a integer handling vulnerability in NetBSD swapctlsystem ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • Re: fchroot(2) and others.
    ... > Are we interested in fchrootsyscall? ... NetBSD seems to have implemented it for SunOS/Solaris compatibility. ... This means that you can access a file forever when you get a descriptor ...
    (freebsd-arch)