COMMAND

    kernel

SYSTEMS AFFECTED

    NetBSD 1.3.3 and prior; NetBSD-current until 19990420

PROBLEM

    Following  is  based  on  NetBSD  Security  Advisory.  In order to
    provide  a  system  environment  capable  of  executing  System  V
    Release 4 (`SVR4')  binaries, it is  necessary to create  a set of
    device special  files; to  simplify this  task, a  shell script is
    shipped  with  the  system.   Due  to  a  mismatch of device major
    numbers  between  NetBSD  platforms,  one  device  special file is
    erroneously created with a wrong  major number, which may allow  a
    regular user to arbitrarily read  or write any data stored  on the
    NetBSD portion  of the  first IDE  disk configured  by the system.
    This vulnerability is restricted to  the i386 port of NetBSD  with
    SVR4 emulation additionally configured only.

    The SVR4 /dev/wabi character device special file, usually  created
    below  the  /emul/svr4  hierarchy,  is  currently supposed to be a
    synonym  for  the  /dev/null  device  special  file.    Originally
    developed  on  the  sparc  port  of NetBSD, the SVR4_MAKEDEV shell
    script creates  this file  with a  major number  of 3  and a minor
    number of 2, setting these  properties equivalent to those of  the
    /dev/null device special file on that platform.  On the i386  port
    of NetBSD, the character device major number 3 is associated  with
    the wd(4) driver, which  supports IDE (and compatible)  disks, and
    whose minor number 2 denotes the NetBSD portion of the first  such
    disk configured by  the systems; this  corresponds to the  special
    device file /dev/rwd0c in the base distribution.  As the /dev/wabi
    special  device  file  is  created  with  world  read  and   write
    permissions, a regular user may read and write any data stored  on
    that portion  of the  disk.   The effects  of actually running the
    WABI software on a vulnerable system have not been investigated.

SOLUTION

    A  patch  is  available  for  the  NetBSD  1.3.3  which  makes the
    SVR4_MAKEDEV shell script create the wabi device special file with
    the correct properties.  You may find this patch on the NetBSD ftp
    server:

        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990419-SVR4_MAKEDEV

    NetBSD-current  since  19990420  is  not  vulnerable.   Users   of
    NetBSD-current  should  upgrade  to  a  source  tree  later   than
    19990420.  Once the SVR4_MAKEDEV  script is updated, re-run it  to
    recreate the  wabi device  with the  correct parameters.   If this
    action cannot be taken, an  immediate workaround is to remove  the
    existing device special file and creating a new one, which can  be
    done  by  executing  the  following  shell command sequence as the
    super-user:

        # /bin/rm -f /emul/svr4/dev/wabi
        # /sbin/mknod /emul/svr4/dev/wabi c 2 2
        # /bin/chmod u=rw,g=rw,o=rw /emul/svr4/dev/wabi