Slashdot Mirror
Cambridge Researcher Breaks OpenBSD Systrace
An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."
James Morris has put up an analysis of the same vulnerabilities.
And pushing the system code down into lower echelons of execution (i.e kernel), the way SELinux does it, is a valid fix.
Quidquid latine dictum sit, altum videtur
Any word if any of these vulnerabilities affect Linux or other Unixes as well?
My blog
I'm not worried about a vuln. in sudo; I always log in as root and don't have sudo running :). Remember, Real Programmers log in as root. Take that h4x0rz!
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.
Why didn't you just say "I'm scared." ?
I hate printers.
And it still only has had two remote holes in the default install in more than 10 years. This isn't a remotely exploitable hole, it allows privilege escalation, which requires access to the system and thus is a local hole. It's still a whopper of a hole though...
on local user/software exploits? my domains have over a thousand users, but no one logs into an account on the machine.
... now if only this would lead to a little ego deflation and humility among OpenBSD developers.
As long as I'm dreaming, I also want a pony.
The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.
- todd
Sweet justice! My Win98 boxes have finally protected me against a hole. I am invinci*^&#%
$#%#^&&!#$@$
[CONNNECTION LOST]
Well, there's spam egg sausage and spam, that's not got much spam in it.
Theo DeRaadt goes on a rampage in 5... 4... 3... 2...
...and he's also one of the most important FreeBSD hackers.
Well, the fix for now appears to be don't use the vulnerable software, but considering that the vulnerability allows you to break the software such that it behaves as if it wasn't running, I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check. Also, if it was something simple like a buffer overrun that would be trivial to patch, but because of the way this particular vulnerability functions (concurrency attack) there's not simple solution. Some have suggested pushing the code to kernel space, but as they've also pointed out, that's rather risky in its own regard. Short of some kind of provision in the kernel to prevent the attacks I'm not sure how this could be fixed (although I haven't seen to many details, just that it involves re-writing some args after they've already been scanned by systrace).
Curiosity was framed, Ignorance killed the cat.
Yes, M. Watson also attacked equivalent programs (GSWTK) under Linux successfully.
Read his blog post, as some of the techniques described are quite interesting. Too bad we can't read the full paper.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Because the fastest way to learn about something is to break it. Why do you think physicists spend all that time and money on particle accelerators?
Curiosity was framed, Ignorance killed the cat.
What if you can get a user shell by using an exploit in (firefox|x-chat|bind|apache|ftp|ssh|sendmail|ntp|w hatever open port)?
Guess you get what you deserve when you put a machine on the internet.
Sure it is only an unprivileged local user, what could you do with that.
Oh, wait. You could get root if you had a local user using an other exploit.
Exactly, why would anyone want to put a computer on the internet? That's just stupid!
Would you be talking about this?
Then choose a better FTP server - it's not OpenBSD's fault you installed pr00tme-ftpd.
I can also publish a root password for my servers on digg. Does that mean it's OpenBSD's fault for that 'exploit' as well?
The purpose of the default install is a configuration that has been audtied by _the_ most anal development team on the planet. This is nothing but a good thing, and if people have a problem with Theo's attitude, feel free to fork the codebase.
On my list of the 10 best OSS projects, OpenBSD is in the top 5.
Website Hosting
The very fact that the OpenBSD project makes itself such a huge target for would-be hackers is what makes it almost certain that any vulnerabilities will be found and patched. No handwringing is necessary here, though quite a lot of recoding may be involved. We can all look forward to an even more secure OpenBSD very soon. Keep up the good work, everyone!
[Fuck Beta]
o0t!
Nah, it's just that nobody RTFA anymore.
Quit jabbering on the phone while driving. You are not that important.
Given that the vulerability exploited is a system call race, it may be that the "unwrapped" system calls may be exploited as well.
Basically, wrapping the call (supposed to increase security) make the race more exploitable. It is NOT "sudo" that is at fault, specifically, because sudo (in its current release) does not do call wrapping.
There is an easy solution available -- simply disallow all execution between the time the system call is invoked, and all parameters have been copied to system space. Alternatively, do not allow threading, and mapping of memory used for parameters in an active call (a bit more difficult).
A security audited system call interface is needed, along with a prohibition on wrapping system calls expected by an application (because those wraps could be exploited by an attacking program).
And you are right -- Windows is probably more vulnerable to this, simply because there are more system calls that use buffer pointers.
But this entire class of exploit is "local only", which means that the system needs to be comprimised another way first; this can be used to obtain root, or use unauthorized resources.
SELinux can be used to prevent much of the damage possible, as can Trusted Solaris. I don't know if there is a Windows eqivalent.
Just another "Cubible(sic) Joe" 2 17 3061
While we're disabling any form of shell access for any reason whatsoever, why not stop all those HTTP servers as well and the SMTP, DNS and all that crap as well. After all anybody who dares expose such a system on the internet when history tells us that there will be new vulnerabilities found in those software is obliviously an idiot.
On my list of the 10 best OSS projects, OpenBSD is in the top 5.
In other words... it's in your list of the 5 best OSS projects.
(sorry)
OpenBSD auditing isn't the god of all auditing you think it is.
This is just another piece of audited code that roots you.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
OpenBSD's systrace manpage appears to mention this problem in the BUGS section:
Or see http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html
http://op59.net/
The presentation covers it pretty well. At least the GSWTK attack.
(It's a straight forward time-of-use vs. time-of-check attack. And we were at least partially aware of it when we wrote GSWTK. The problem is that the original system calls require memory in the processes space, so you can't just copy in the string after you validate it to keep the process from changing it. I wrote some methods for Linux that allocated extra pages in the processes memory space so we could copy in the string, but that just makes the attack harder via obscurity. It doesn't address the fundamental issue at all.)
well-played old chap.......... ;)
Website Hosting
This race bug was known for ages. It's even hinted in the man page. Stop the FUD.
Kristaps Dzonsons. And I'm not sure if he ever really intended for it to be for production use. I saw his talk at NYCBSDCon last year, and my impression was "here's a neat tool I'm working on guys, I'm still working out a lot of things, come play if you want". Not that this isn't an important vulnerability to address-- but I'd be surprised if anyone was currently using sysjail in an important production role.
Coverage on Undeadly.
To answer some anti-OpenBSD bias from the summary above: systrace is really Niels Provos toy, OpenBSD just includes it in the base install just as NetBSD does; regarding sudo, it has been addressed in a comment above (not vulnerable in the actual released version); and by saying that NetBSD has disabled systrace that implies that OpenBSD has it still enabled. Except that it is a tool that isn't used by the default install at all - you have to enable and configure it yourself. And as the Undeadly post states: Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls..
Personally I have never liked the idea of systrace - leaves way to much to to me as a system administrator to fuck up.
Let's be reasonable about this for a moment.
Once someone has the power to execute arbitary code on your system, then it is arguably only a matter of time before they can do what they please on it. Which is precisely why you don't use the same OpenBSD box for your firewall as you do for giving users a shell account on a Unix box.