Technical discussion regarding security issues in NetBSD

NetBSD Security-Officer | 8 Jun 2006 23:42

Picon

NetBSD Security Advisory 2006-015: FPU Information leak on i386/amd64/Xen platforms with AMD CPUs


		 NetBSD Security Advisory 2006-015
		 =================================

Topic:		FPU Information leak on i386/amd64/Xen platforms with AMD CPUs

Version:	NetBSD-current:	source prior to April 19, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:     affected
		NetBSD 2.0.*:   affected
		NetBSD 2.0:     affected

Severity:	Information leakage between local processes

Fixed:		NetBSD-current:		April 19, 2006
		NetBSD-3-0 branch:	May 12, 2006
						(3.0.1 will include the fix)
		NetBSD-3   branch:	May 12, 2006
		NetBSD-2-1 branch:      May 12, 2006
						(2.1.1 will include the fix)
		NetBSD-2-0 branch:      May 12, 2006
						(2.0.4 will include the fix)
		NetBSD-2 branch:        May 12, 2006

Abstract
========

Due to the documented behavior of AMD processors when running amd64, i386
and Xen NetBSD kernels, processors using floating point operations can leak
information.  This may allow a local attacker to gain sensitive privileged

(Continue reading)

NetBSD Security-Officer | 8 Jun 2006 23:44

Picon

NetBSD Security Advisory 2006-016: IPv6 socket options can crash the system


		 NetBSD Security Advisory 2006-016
		 =================================

Topic:		IPv6 socket options can crash the system

Version:	NetBSD-current:	source prior to May 23, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:     affected
		NetBSD 2.0.*:   affected
		NetBSD 2.0:     affected

Severity:	Any local user can crash the system

Fixed:		NetBSD-current:		May 23, 2006
		NetBSD-3-0 branch:	May 24, 2006
						(3.0.1 will include the fix)
		NetBSD-3   branch:	May 24, 2006
		NetBSD-2-1 branch:      May 24, 2006
						(2.1.1 will include the fix)
		NetBSD-2-0 branch:      May 24, 2006
						(2.0.4 will include the fix)
		NetBSD-2 branch:        May 24, 2006

Abstract
========

Insufficient validation when parsing IPv6 socket options can lead to a
system crash.  This can be triggered by a local non-privileged user.

(Continue reading)

Jeremy C. Reed | 14 Jun 2006 04:50

su and resources not honored

src/usr.bin/su/su_pam.c has:

    * Don't touch resource/priority settings if -m has been used
    * or -l and -c hasn't, and we're not su'ing to root.
    */
   if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
           setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);

   if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
           err(EXIT_FAILURE, "setusercontext");

So using "su" (without -m for example), a user (who knows another user 
account's password) can login to that other user's account and because 
LOGIN_SETRESOURCES is not used their previous resources are in effect. Is 
that okay?

This seems like a way a user can misuse resources. Comments?

If that is acceptable behaviour it should be clearly documented. (Any 
suggestions on wording for the manual page?)

I haven't checked other operating systems yet.

Note that our login(1) does not have that problem.

 Jeremy C. Reed

Jeremy C. Reed | 14 Jun 2006 07:56

Re: check resource limits with exec(3)?

I added tech-kern to this as I have a patch for kernel below related to 
this. (Also included are parts of a few emails below for some context.)
Below are two patches (one for kernel) and replies to a couple emails.
I also added tech-security for discussion on the actual security 
issues this involves.

On Tue, 6 Jun 2006, Iain Hibbert wrote to tech-userlevel:

> > Or is it acceptable for programs to go over (ignore) the defined maxproc?
> 
> If it is actually a problem, then I would say that the correct place to
> check it would be under setuid() somewhere (probably do_setresuid() in
> sys/kern/kern_prot.c?), and return EPROCLIM if the operation would exceed
> limits.  I couldnt say if that would have other implications though..

On Thu, 8 Jun 2006, Daniel Carosone wrote to tech-userlevel:

> On Wed, Jun 07, 2006 at 09:31:12PM +0100, David Laight wrote:
> > All the places where those calls are assumed to succeed because there
> > is no way they can fail...
> 
> This discussion comes about in part because of a discovery, on another
> platform, of a way they can fail.

Exactly. I was testing some security issues found on Linux caused by 
setuid failing (where a user could easily get root). I couldn't reproduce 
same issue on NetBSD but came across a different issue.

Here is what I have been using:

(Continue reading)

NetBSD Security-Officer | 14 Jun 2006 23:42

Picon

NetBSD Security Advisory 2006-017: Sendmail malformed multipart MIME messages


		 NetBSD Security Advisory 2006-017
		 =================================

Topic:		Sendmail malformed multipart MIME messages

Version:	NetBSD-current:	source prior to May 30, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected
		pkgsrc:		sendmail-8.13.6nb2 and earlier
				sendmail-8.12.11nb2 and earlier

Severity:	Denial of service

Fixed:		NetBSD-current:		May 30, 2006
		NetBSD-3-0 branch:	June 14, 2006
					   (3.0.1 will include the fix)
		NetBSD-3   branch:	June 14, 2006
		NetBSD-2-1 branch:	June 14, 2006
					   (2.1.1 will include the fix)
		NetBSD-2-0 branch:	June 14, 2006
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	June 14, 2006
		pkgsrc:			sendmail-8.13.6nb3 corrects this issue
					sendmail-8.12.11nb3 corrects this issue

Abstract
========

(Continue reading)

Bill Studenmund | 15 Jun 2006 02:21

Picon

Re: su and resources not honored

On Tue, Jun 13, 2006 at 07:50:59PM -0700, Jeremy C. Reed wrote:
> src/usr.bin/su/su_pam.c has:
> 
>     * Don't touch resource/priority settings if -m has been used
>     * or -l and -c hasn't, and we're not su'ing to root.
>     */
>    if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
>            setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
> 
>    if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
>            err(EXIT_FAILURE, "setusercontext");
> 
> So using "su" (without -m for example), a user (who knows another user 
> account's password) can login to that other user's account and because 
> LOGIN_SETRESOURCES is not used their previous resources are in effect. Is 
> that okay?
> 
> This seems like a way a user can misuse resources. Comments?

If I understand things right, the way this would work is that user A would 
log into user B's account but the process limits & such would be counted 
against user A, correct? Or would they no longer be counted against user A 
and user B would be well-above limits?

Take care,

Bill

Jeremy C. Reed | 15 Jun 2006 02:55

Re: su and resources not honored

On Wed, 14 Jun 2006, Bill Studenmund wrote:

> If I understand things right, the way this would work is that user A would 
> log into user B's account but the process limits & such would be counted 
> against user A, correct? Or would they no longer be counted against user A 
> and user B would be well-above limits?

They would not be counted against user A. And user B would never get 
resource limits set (i.e. setrlimit), so could potentially be above 
limits.

It works correctly on NetBSD 2.1 (before pam):

rainier:~$ id -un
reed
rainier:~$ ulimit -u
200
rainier:~$ su dummy
Password:
rainier: {2} id -un
dummy
rainier: {1} limit maxproc
maxproc         5

It doesn't work with NetBSD 3.99.20:

$ id -un
reed
$ ulimit -p 
160

(Continue reading)

Bill Studenmund | 15 Jun 2006 03:15

Picon

Re: su and resources not honored

On Wed, Jun 14, 2006 at 05:55:50PM -0700, Jeremy C. Reed wrote:
> On Wed, 14 Jun 2006, Bill Studenmund wrote:
> 
> > If I understand things right, the way this would work is that user A would 
> > log into user B's account but the process limits & such would be counted 
> > against user A, correct? Or would they no longer be counted against user A 
> > and user B would be well-above limits?
> 
> They would not be counted against user A. And user B would never get 
> resource limits set (i.e. setrlimit), so could potentially be above 
> limits.
> 
> It works correctly on NetBSD 2.1 (before pam):

[snip]

> It doesn't work with NetBSD 3.99.20:

Then it's a bug. 

Take care,

Bill

Group

gmane.os.netbsd.devel.security.

Advertisement

Search Archive

Page

1

Articles in period: 8

June 2006

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

$fetch_pkg_vulnerabilities warning from /etc/daily (12 Jun 2013)
Potwierdz swoje konto (31 May 2013)
[GSoC 2013] Implement file system flags to scrub data blocks before de (30 Apr 2013)
regarding project to"Implement file system flags to scrub data blocks (14 Apr 2013)
Google Summer of Code 2013. (13 Apr 2013)
OpenCrypto swcrypto(4) enhancements (10 Apr 2013)
NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptogr (30 Mar 2013)
ECDSA and key leaks due to RNG problems. (25 Mar 2013)
Updated NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak (7 Mar 2013)
NetBSD Security Advisory 2013-003: Pseudo-Random bits weaker than expe (27 Feb 2013)
NetBSD Security Advisory 2013-004: Vulnerabilities in grep (27 Feb 2013)
NetBSD Security Advisory 2013-002: kqueue related kernel panic trigger (27 Feb 2013)
You have (1) new ecard! (26 Feb 2013)
You have (1) new ecard! (8 Feb 2013)
Invitation to Bid - Jared #2528 - Evansville, IN (30 Jan 2013)
Notice of Addendum #: 1 - Oregon Park District (29 Jan 2013)
Invitation to Bid - Spencer Gifts #205 - St. Clair Square (29 Jan 2013)
NetBSD Security Advisory 2013-001: kernel panic triggered from userlan (29 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188430675 ) (27 Jan 2013)
� Last day to save on our website presence package (25 Jan 2013)
Analyst Report: Understanding Responsive Design (25 Jan 2013)

Archives

13	June 2013
3	May 2013
6	April 2013
3	March 2013
6	February 2013
16	January 2013
6	December 2012
28	November 2012
6	October 2012
4	September 2012
2	August 2012
20	July 2012
12	June 2012
4	May 2012
4	April 2012
10	March 2012
16	December 2011
2	November 2011
2	October 2011
1	September 2011
7	August 2011
1	July 2011
3	June 2011
1	May 2011
16	April 2011
2	March 2011
3	February 2011
3	January 2011
2	December 2010
13	November 2010
9	October 2010
10	September 2010
3	August 2010
4	July 2010
1	June 2010
9	April 2010
1	March 2010
11	February 2010
7	January 2010
10	December 2009
2	November 2009
1	October 2009
1	August 2009
12	July 2009
11	June 2009
8	May 2009
7	April 2009
38	March 2009
10	February 2009
19	January 2009
3	December 2008
16	November 2008
11	October 2008
2	September 2008
17	August 2008
18	July 2008
14	June 2008
16	May 2008
6	April 2008
7	March 2008
7	February 2008
37	January 2008
27	December 2007
12	November 2007
12	October 2007
3	September 2007
11	August 2007
12	July 2007
50	June 2007
7	May 2007
2	April 2007
12	March 2007
73	February 2007
32	January 2007
55	December 2006
61	November 2006
28	October 2006
37	September 2006
71	August 2006
18	July 2006
8	June 2006
6	May 2006
22	April 2006
97	March 2006
59	February 2006
111	January 2006
45	December 2005
45	November 2005
41	October 2005
54	September 2005
113	August 2005
107	July 2005
46	June 2005
27	May 2005
87	April 2005
163	March 2005
21	February 2005
30	January 2005
9	December 2004
73	November 2004
10	October 2004
4	September 2004
8	August 2004
62	June 2004
85	May 2004
35	April 2004
28	March 2004
15	February 2004
12	December 2003
21	November 2003
23	October 2003
246	September 2003
27	August 2003
16	July 2003
58	June 2003
22	May 2003
20	April 2003
36	March 2003
3	February 2003
31	January 2003
27	December 2002
56	November 2002
179	October 2002
67	September 2002
87	August 2002
92	July 2002
143	June 2002
87	May 2002
75	April 2002
1	March 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template