[UNIX] UNIX Securelevels Time Modification Flaw

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



UNIX Securelevels Time Modification Flaw
------------------------------------------------------------------------


SUMMARY

BSD-Securelevels try to harden the system by restricting certain
functions. The manpage[1] states: "The kernel runs with five different
levels of security. Any super-user process can raise the security level,
but no process can lower it."

The implementations of securelevels on NetBSD and Linux contains an
integer overflow, allowing the protection of the system time to be
completely circumvented.

DETAILS

Vulnerable Systems:
* NetBSD-current: source prior to December 5, 2005
* NetBSD 2.1
* NetBSD 2.0.3
* NetBSD 1.6.2
* Linux vanilla kernel 2.6.15 and below

Immune Systems:
* NetBSD-current branch :December 5, 2005
* NetBSD-3 branch: December 6, 2005
* NetBSD-2.1 branch: December 6, 2005
* NetBSD-2.0 branch: December 6, 2005
* NetBSD-2 branch: December 6, 2005
* NetBSD-1.6 branch: December 6, 2005

When running a securelevel equal or higher than two kernel time changes
are restricted. While it is possible to set the clock forward, it is not
possible to turn it backwards. By setting the clock forward to the end of
unixtime an integer overflow will be triggered and the clock will be
reset.

By setting the system time to the end of unixtime, it is possible to reset
the system time to the lowest possible integer of unixtime. When the
systemclock reaches "Tue Jan 19 03:14:08 UTC 2038", the 32-bit signed
integer containing the time will overflow and the system time will be
reset to "Fri Dec 13 20:45:52 UTC 1901".

This is known as the Year 2038 Problem. The flaw is also present when
running a securelevel of two or greater, allowing the restrictions on
kernel time changes to be circumvented.

Proof of Concept:
# date 203801190414.07
Di 19 Jan 2038 04:14:07 CET
# date
Fr 13 Dez 1901 21:45:53 CET

Fix:
The problem has been fixed in all affected versions of NetBSD.
No fix is available for the Linux implementation of securelevels.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4352>
CVE-2005-4352

Disclosure Timeline:
* 2005-11-05 Problem discovered while testing a product of iPisec Ltd.
* 2005-11-29 Discussed the issue with iPisec management and technicians
* 2005-12-02 Contacted the maintainer of BSD-Securelevels on Linux
* 2005-12-02 Response from the maintainer of BSD-Securelevels on Linux he
wants to do what *BSD will be doing
* 2005-12-04 Contacted NetBSD security
* 2005-12-05 Response from NetBSD security - problem has been fixed
* 2005-12-15 Forwarded the *BSD responses to the Linux maintainer
* 2006-01-05 No further response from the Linux maintainer
* 2006-01-09 Coordinated public release

Reference:
[1] <http://www.freebsd.org/cgi/man.cgi?query=securelevel>
http://www.freebsd.org/cgi/man.cgi?query=securelevel


ADDITIONAL INFORMATION

The information has been provided by
<mailto:release@xxxxxxxxxxxxxxxxxxxxx> RedTeam Pentesting.
The original article can be found at:
<http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt>
http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages