From security-advisories@freebsd.org Thu Jul 18 01:20:40 2002 From: FreeBSD Security Advisories To: Bugtraq Date: Fri, 12 Jul 2002 13:46:12 -0700 (PDT) Subject: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:30 Security Advisory The FreeBSD Project Topic: Users may trace previously privileged processes Category: core Module: ktrace Announced: 2002-07-12 Credits: Theo DeRaadt Darren Reed Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 22:36:38 UTC (RELENG_4) 2002-07-11 16:47:41 UTC (RELENG_4_6) 2002-07-11 16:47:55 UTC (RELENG_4_5) 2002-07-11 16:56:05 UTC (RELENG_4_4) FreeBSD only: NO I. Background The ktrace utility is a debugging tool that allows users to trace system calls, I/O, and file system lookup operations executed by or on behalf of a process and its children. Since this could potentially reveal sensitive information, the kernel will normally only allow a user to trace his or her own processes, and will immediately stop tracing a process that gains special privileges, for instance by executing a setuid or setgid binary. The ktrace utility depends on the KTRACE kernel option, which is enabled by default. II. Problem Description If a process that had special privileges were to abandon them, it would become possible for the owner of that process to trace it. However, that process might still possess and / or communicate sensitive information that it had obtained before abandoning its privileges, which would then be revealed to the tracing user. III. Impact In theory, local users on systems where ktrace is enabled through the KTRACE kernel option might obtain sensitive information, such as password files or authentication keys. No specific utility is currently known to be vulnerable to this particular problem. IV. Workaround Recompile the kernel without the KTRACE option, and reboot. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/kern_ktrace.c RELENG_4 1.35.2.6 RELENG_4_6 1.35.2.5.4.1 RELENG_4_5 1.35.2.5.2.1 RELENG_4_4 1.35.2.4.4.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+qFUuHi5z0oilAQH+XwQAlGxDecckzp1md5S3S3JfLSkvI3vMHzTw nezUkanQ+2M65kj3QUzDnhv+jR0KpgAXCfMIVFUekb+rO8fbxbVygyWZH3T501F/ 5nhoNGwkbTVdjY9x34dSOvVJHNUZ0zn9Y+aQiC5msK4ZyI2GFdrH/Kfa1Ubh7H6z w1/J3NNJ5Bs= =z5iy -----END PGP SIGNATURE-----