From owner-doc-jp@jp.freebsd.org  Wed Feb 23 04:20:07 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id EAA35961;
	Wed, 23 Feb 2000 04:20:07 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id EAA35956
	for <doc-jp@jp.freebsd.org>; Wed, 23 Feb 2000 04:20:06 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id EAA07568 for <doc-jp@jp.freebsd.org>; Wed, 23 Feb 2000 04:20:06 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp41.ed.noda.sut.ac.jp [133.31.173.51]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id EAA06764 for <doc-jp@jp.freebsd.org>; Wed, 23 Feb 2000 04:20:03 +0900 (JST)
Message-Id: <200002221920.EAA06764@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id DAA27477
	for <doc-jp@jp.freebsd.org>; Wed, 23 Feb 2000 03:55:58 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <200002221204.VAA20483@koga.do.mms.mt.nec.co.jp>
References: <200002200642.WAA10401@freefall.freebsd.org>
	<200002211211.VAA26121@mail.geocities.co.jp>
	<200002221204.VAA20483@koga.do.mms.mt.nec.co.jp>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Wed, 23 Feb 2000 03:55:57 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 184
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 7101
Subject: [doc-jp 7101] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:03.asmon
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

Koga Youichirou <y-koga@jp.freebsd.org> wrote
 in <200002221204.VAA20483@koga.do.mms.mt.nec.co.jp>:

> > =============================================================================
> > FreeBSD-SA-00:03                                           Security Advisory
> $B!D(B $B$5$/$C$HN,(B $B!D(B
> > FreeBSD $B8GM-@-(B: yes
> 
> $B:#$^$G$H0c$&$N$G!"$A$g$C$H0cOB46!#A1$70-$7$OJ]N1!#(B

 $B9`L\$C$]$/$7$F$_$?$N$G$9$,!"(B
 $B$d$C$Q$j!V!A$@$1$NLdBj$+!W$NJ}$,NI$$$G$9$+$M(B?
 SA-00:02 $B$O$3$l$G=P$7$A$c$C$F$^$7$?$1$I!"0U8+Jg=8!#(B

 $B$H$j$"$($:!";XE&ItJ,$r=$@5$7$^$7$?!#(B
 $BB>$KLdBj$,$J$1$l$P(B, 02/25 $B$"$?$j$K(B annouce-jp $B$X2s$7$^$9!#(B

 # $B$"$l(B? [doc-jp 6979] $B$N(B SA-00:01.make $B$C$FN.$l$^$7$?$C$1(B?

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)


 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Sat, 19 Feb 2000 22:42:28 -0800 (PST)
  Message-Id: <200002200642.WAA10401@freefall.freebsd.org>
  X-Sequence: announce-jp 388

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,(B
 $B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
 $B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B,
 doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:03                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       Asmon/Ascpu ports fail to drop privileges

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     asmon/ascpu
$B9pCNF|;~(B:       2000-02-19
$B1F6AHO0O(B:       $B=$@5F|0JA0$N$9$Y$F$N(B Ports $B%3%l%/%7%g%s(B
$B=$@5F|(B:         2000-01-29
FreeBSD $B8GM-@-(B: yes

I.   $BGX7J(B - Background 

Two optional third-party ports distributed with FreeBSD can be used to
execute commands with elevated privileges, specifically setgid kmem
privileges. This may lead to a local root compromise.

$B$3$NFs$D$N%5!<%I%Q!<%F%#@=(B ports $B$O(B FreeBSD $B$NG[I[J*$K(B
$B4^$^$l$F$$$k$b$N$G$9(B. $B$3$l$i$O9b$$8"8B(B, $B6qBNE*$K$O(B kmem $B%0%k!<%W$G(B
setgid $B$5$l$?8"8B$G%3%^%s%I$r<B9T$9$k$N$KMxMQ$9$k$3$H$,$G$-$^$9(B.
$B$3$N$?$a(B, $B%m!<%+%k$N(B root $B8"8B$,C%$o$l$k2DG=@-$,$"$j$^$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

Asmon and ascpu allow users to execute arbitrary commands as part of a user
configuration file. Both applications are Linux-centric as distributed by
the vendor and require patching to run under FreeBSD (specifically, using
the kvm interface and setgid kmem privileges to obtain system statistics);
this patching was the source of the present security problem. This is a
similar flaw to one found in the wmmon port, which was corrected on
1999/12/31.

$B$I$A$i$b(B Linux $B8~$1$K%Y%s%@!<$+$iG[I[$5$l$F$$$k$b$N$G$9(B.  
FreeBSD $B$G;HMQ$9$k>l9g(B, $B%Q%C%A$rI,MW$H$7$^$9(B($B6qBNE*$K$O(B, kvm
$B%$%s%?%U%'!<%9$r;HMQ$7$F%7%9%F%`$NE}7W$rF@$k$N$K(B
kmem $B8"8B$G(B setgid $B$7$F$$$^$9(B).
$B$3$N=$@5%Q%C%A$,(B, $B%;%-%e%j%F%#LdBj$N860x$H$J$C$F$$$^$7$?(B.
$B=$@5%Q%C%A$NITHw$O(B, 1999/12/31 $B$K=$@5$5$l$?(B wmmon $B$N(B Ports $B$K(B
$B8+$i$l$?$b$N$HN`;w$7$?$b$N$G$9(B.

Note that neither utility is installed by default, nor are they "part of
FreeBSD" as such: they are part of the FreeBSD ports collection, which
contains over 3100 third-party applications in a ready-to-install format.

$BCm0U$7$FM_$7$$$N$G$9$,(B, $B$I$A$i$N%f!<%F%#%j%F%#$b%G%U%)%k%H$G$O(B
$B%$%s%9%H!<%k$5$l$^$;$s$7(B, FreeBSD $B$NItJ,$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B FreeBSD Ports $B%3%l%/%7%g%s$N0l$D$G$9(B.
FreeBSD Ports $B%3%l%/%7%g%s$K$O(B, 3100 $B$rD6$($k%5!<%I%Q!<%F%#@=$N(B
$B%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$^$9(B.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit of
the most security-critical ports.

FreeBSD $B$O(B, $B%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#LdBj$K4X$7$F(B
$B$$$+$J$kMW5a$b$7$^$;$s$,(B, $BHs>o$K4m81$J%;%-%e%j%F%#>e$NLdBj$r4^$`(B
Ports $B$rD4::$7(B, $B$=$N7k2L$rJs9p$9$k$H$$$&3hF0$r9T$J$C$F$$$^$9(B.

III. $B1F6AHO0O(B - Impact

If you have not chosen to install the asmon or ascpu ports/packages, then
your system is not vulnerable. If you have, then local users can obtain
setgid kmem rights, which allows them to manipulate kernel memory, and
thereby compromise root.

asmon $B$b$7$/$O(B ascpu $B$N(B Ports/Packages $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B,
$B%7%9%F%`$K%;%-%e%j%F%#>e$NLdBj$O$"$j$^$;$s(B.
$B$b$7(B, $B$=$l$i$r%$%s%9%H!<%k$7$F$$$k$J$i(B,
$B%m!<%+%k%f!<%6$,(B kmem $B%0%k!<%W$X(B setgid $B$9$k8"8B$rF@$k$3$H$,$G$-$k$?$a(B,
$B%+!<%M%k%a%b%j$rA`:n$9$k$3$H$K$h$j(B, root $B8"8B$,C%$o$l$k4m81@-$,$"$j$^$9(B.

IV.  $BBP1~:v(B - Workaround

Remove the asmon and ascpu ports/packages, if you have installed them.

asmon $B$*$h$S(B ascpu $B$N(B Ports/Packages $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O(B,
$B$=$l$i$r:o=|$7$F2<$5$$(B.

V.   $B=$@5=hCV(B - Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the asmon and/or ascpu
ports.

2) Reinstall a new package obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/asmon-0.60.tgz
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ascpu-1.8.tgz

after the correction date. At the time of advisory release, the asmon
package was not available - you may need to use one of the other methods
to update the software.

3) download a new port skeleton for the asmon and/or ascpu ports from:

http://www.freebsd.org/ports/

and use it to rebuild one or both ports.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz

$B<!$N$$$:$l$+$K$h$C$F2r7h2DG=$G$9(B.

1) Ports $B%3%l%/%7%g%sA4BN$r%"%C%W%0%l!<%I$7(B, asmon $B$H(B ascpu $B$r(B
   $B:F%3%s%Q%$%k$7$F$/$@$5$$(B.

2) $B<!$K<($9>l=j(B

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/asmon-0.60.tgz
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/ascpu-1.8.tgz

   $B$+$i(B, $B=$@5F|0J9_$K:n@.$5$l$??7$7$$%Q%C%1!<%8$r%@%&%s%m!<%I$7(B, 
   $B%$%s%9%H!<%k$7D>$7$F$/$@$5$$(B.  $B$3$N%;%-%e%j%F%#4+9p$,=P$5$l$?;~E@$G$O(B,
   asmon $B$N%Q%C%1!<%8$O$^$@MxMQ$G$-$k$h$&$K$J$C$F$$$^$;$s$N$G(B,
   asmon $B$r99?7$9$k>l9g$K$O(B, $BB>$N$$$:$l$+$N<jCJ$r$H$kI,MW$,$"$j$^$9(B.

3) $B<!$K<($9>l=j(B

http://www.freebsd.org/ports/

   $B$+$i(B, asmon $B$H(B ascpu $B$N?7$7$$(B Ports $B$r<hF@$7(B, $B$=$l$rMQ$$$F(B
   $B:F%3%s%Q%$%k$7$F$/$@$5$$(B.

4) portcheckout $B%f!<%F%#%j%F%#$r;H$&$H(B, $B>e5-(B (3) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-2.0.tgz
