Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cambridge Researcher Breaks OpenBSD Systrace

Posted by kdawson on from the without-a-trace dept.

An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."

6 of 194 comments (clear)

  1. SELinux and the same ... by Gopal.V · · Score: 5, Informative

    James Morris has put up an analysis of the same vulnerabilities.

    And pushing the system code down into lower echelons of execution (i.e kernel), the way SELinux does it, is a valid fix.

    --
    Quidquid latine dictum sit, altum videtur
  2. Re:so much for... by ArwynH · · Score: 4, Informative

    And it still only has had two remote holes in the default install in more than 10 years. This isn't a remotely exploitable hole, it allows privilege escalation, which requires access to the system and thus is a local hole. It's still a whopper of a hole though...

  3. No released version of sudo affected by millert · · Score: 5, Informative

    The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

      - todd

  4. Re:Linux? by x_MeRLiN_x · · Score: 4, Informative

    Would you be talking about this?

  5. OpenBSD's man page for systrace mentions this? by cgdae · · Score: 5, Informative

    OpenBSD's systrace manpage appears to mention this problem in the BUGS section:

    Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.

    Or see http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html

    --
    http://op59.net/
  6. Undeadly coverage by zyche · · Score: 4, Informative

    Coverage on Undeadly.

    To answer some anti-OpenBSD bias from the summary above: systrace is really Niels Provos toy, OpenBSD just includes it in the base install just as NetBSD does; regarding sudo, it has been addressed in a comment above (not vulnerable in the actual released version); and by saying that NetBSD has disabled systrace that implies that OpenBSD has it still enabled. Except that it is a tool that isn't used by the default install at all - you have to enable and configure it yourself. And as the Undeadly post states: Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls..

    Personally I have never liked the idea of systrace - leaves way to much to to me as a system administrator to fuck up.