Cambridge Researcher Breaks OpenBSD Systrace

An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."

SELinux and the same ...

[Gopal.V (532678)]

James Morris has put up an analysis [livejournal.com] of the same vulnerabilities.

And pushing the system code down into lower echelons of execution (i.e kernel), the way SELinux does it, is a valid fix.

Re:SELinux and the same ...

[afidel (530433)]

I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be? If it was well implemented I would guess it would be minimal since you could just pass the call off to the called kernel object directly. I also wonder what if any security vulnerabilities would be exposed by moving that extra code in kernel space. I know for the TrustedBSD tools it would be minimal due to their strict code checking policies, but for other systems having this much extra code in kernel space might be a risk.

No need for alarm!

[Antarius (542615)]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

Re:No need for alarm!

[nateb (59324)]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

All twelve of them. :)

I like the thought of openbsd, though, having never used it. I'm sure everything will be fine.

Re:No need for alarm!

[peacefinder (469349)]

All twelve of them. :)

We yell really loud.

(And I actually yelled "Wow!". We're not a homogenous lot.)

OpenBSD Security

[pathological liar (659969)]

... now if only this would lead to a little ego deflation and humility among OpenBSD developers.

As long as I'm dreaming, I also want a pony.

No released version of sudo affected

[millert (10803)]

The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

  - todd

Ha Ha

[UnknowingFool (672806)]

Sweet justice! My Win98 boxes have finally protected me against a hole. I am invinci*^&#%
$#%#^&&!#$@$

[CONNNECTION LOST]

Brace for impact...

[Mattintosh (758112)]

Theo DeRaadt goes on a rampage in 5... 4... 3... 2...

"cambrige researcher"...

[diegocgteleline.es (653730)]

...and he's also one of the most important FreeBSD hackers.

This is exactly why I love OpenBSD!

[amper (33785)]

The very fact that the OpenBSD project makes itself such a huge target for would-be hackers is what makes it almost certain that any vulnerabilities will be found and patched. No handwringing is necessary here, though quite a lot of recoding may be involved. We can all look forward to an even more secure OpenBSD very soon. Keep up the good work, everyone!

OpenBSD's man page for systrace mentions this?

[cgdae (996476)]

OpenBSD's systrace manpage appears to mention this problem in the BUGS section:

Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.

Or see http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html [openbsd.org]

Undeadly coverage

[zyche (784345)]

Coverage on Undeadly [undeadly.org].

To answer some anti-OpenBSD bias from the summary above: systrace is really Niels Provos toy, OpenBSD just includes it in the base install just as NetBSD does; regarding sudo, it has been addressed in a comment above (not vulnerable in the actual released version); and by saying that NetBSD has disabled systrace that implies that OpenBSD has it still enabled. Except that it is a tool that isn't used by the default install at all - you have to enable and configure it yourself. And as the Undeadly post states: Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls..

Personally I have never liked the idea of systrace - leaves way to much to to me as a system administrator to fuck up.

Re:so much for...

[ArwynH (883499)]

And it still only has had two remote holes in the default install in more than 10 years. This isn't a remotely exploitable hole, it allows privilege escalation, which requires access to the system and thus is a local hole. It's still a whopper of a hole though...

Re:so much for...

[EvanED (569694)]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

Re:so much for...

[MrNaz (730548)]

Why didn't you just say "I'm scared." ?

Re:no

[Steve Baker (3504)]

Exactly, why would anyone want to put a computer on the internet? That's just stupid!

Re:I'm not worried

[eno2001 (527078)]

You know the old saying... "you get what you stay for". As long as you're logging in as root you will damage your system. It's a known fact. Anyone who logs in as root eventually dostoyevsky's their system. Logging in as root is dangerous. Even using 'su -' is dangerous. 'sudo' provides some level of security and accountability but even that is dangerous. I can't tell you how many times I've seen people type 'sudo bash' and then tool around doing everything as root all the time. The only way to really be safe is to never use any super user abilities whatsoever. The way I've handled it is that any time I run into something that I need root access for, I just give up. So I don't have any new users other than the ones I originally set up when I installed Ubuntu. I also don't have any access to the CD-RW drive built into the system, but that's OK since I'm not an illegal music and software pirate (only pirates use CD-R/CD-RW). I can't use the attached scanner that once worked in Windows 98 but that's OK since there is no need to scan photos or anything in Linux since there are no apps with which to work on them anyway. Whenever the system pops up asking me for the root password I just cancel out and stick with whatever settings the system had. Basically for me, a request for the root password is a threat to the security of my PC, myself and possible the nation or even global security. So in short DO NOT EVER USE root access of ANY kind. It's very dangerous and best left to the experts (bearded and bald scientists in dusty university halls).

Re:I'm not worried

[bl8n8r (649187)]

Thank God! A user that finally gets security! Look at those pigs wizzin by...

Re:fix shedules ?

[orclevegam (940336)]

as usual I would assume *bsd to put out fixes quite timely...

Well, the fix for now appears to be don't use the vulnerable software, but considering that the vulnerability allows you to break the software such that it behaves as if it wasn't running, I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check. Also, if it was something simple like a buffer overrun that would be trivial to patch, but because of the way this particular vulnerability functions (concurrency attack) there's not simple solution. Some have suggested pushing the code to kernel space, but as they've also pointed out, that's rather risky in its own regard. Short of some kind of provision in the kernel to prevent the attacks I'm not sure how this could be fixed (although I haven't seen to many details, just that it involves re-writing some args after they've already been scanned by systrace).

Re:fix shedules ?

[TubeSteak (669689)]

as usual I would assume *bsd to put out fixes quite timely...

FTFA: All affected vendors received at least six months, and in some cases many years advance notice regarding these vulnerabilities.

Re:why give much of a crap

[Alioth (221270)]

Local exploits are only a phpBB vulnerability from being a remote exploit. If you're running a hosting service, and you're not treating local vulnerabilities as seriously as remote ones, it's only a matter of time before your machine is pwned and becomes a spam zombie. I've seen it happen.

If you allow scripting on your server, then you've essentially given your users shell access, anyway.

Re:Why???

[orclevegam (940336)]

Why is everyone so hell bent on BREAKING things? Can't we all just try to get along for an instant?

Because the fastest way to learn about something is to break it. Why do you think physicists spend all that time and money on particle accelerators?

Re:Linux?

[x_MeRLiN_x (935994)]

Would you be talking about this [watson.org]?

Re:Linux?

[Hawke (1719)]

The presentation covers it pretty well. At least the GSWTK attack.

(It's a straight forward time-of-use vs. time-of-check attack. And we were at least partially aware of it when we wrote GSWTK. The problem is that the original system calls require memory in the processes space, so you can't just copy in the string after you validate it to keep the process from changing it. I wrote some methods for Linux that allocated extra pages in the processes memory space so we could copy in the string, but that just makes the attack harder via obscurity. It doesn't address the fundamental issue at all.)