• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple BSD Vendor exec() Ptrace Race Condition Vulnerability

Severity: MODERATE

Description:

Ptrace is a facility used mostly by debuggers that allows one process to attach to another and monitor/modify its execution state and memory.

Ptrace implements checks to ensure that unprivileged processes do not attach to privileged ones. It has been reported that a race condition exists in some BSD ptrace implementations that may cause these checks to by bypassed.

The race condition is reportedly present when a process is exec()ing a setuid image. It may be possible to attach to the setuid process if the race is won.

Once an unprivileged process has attached to a setuid process, it is possible to cause resumption of the setuid process' execution at an arbitrary address. If attacker-supplied instructions exist in an executable region of the setuid process' memory (such as in the environment), the attacker may resume execution at the location of these instructions. These instructions will then execute with the enhanced privileges of the setuid process.

The attaching process may also be able to modify memory belonging to the setuid process. This provides the attacker with almost complete control over the setuid process.

If exploited, this vulnerability could lead to local attackers elevating privileges. The privileges that can be gained depend on the setuid programs installed on the system.

OpenBSD and NetBSD have both confirmed that they are vulnerable. OpenBSD has released kernel patches, while NetBSD has fixed the problem in their CVS tree.

Updates will be sent out as more information becomes available.

Affected Products:

• NetBSD NetBSD 1.4.1
• NetBSD NetBSD 1.4.2
• NetBSD NetBSD 1.4.3
• NetBSD NetBSD 1.5.0
• OpenBSD OpenBSD 2.8.0
• OpenBSD OpenBSD 2.9.0

References:

• NetBSD: NetBSD Security Page
• NetBSD: NetBSD cvsweb Interface
• OpenBSD: OpenBSD Security Information

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.