===================================================================== CERT-Renater Note d'Information No. 2006/VULN117 _____________________________________________________________________ DATE : 30/03/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : NetBSD 2.0 through NetBSD-current (prior to March 17, 2006). ====================================================================== NetBSD Security Advisory 2006-008 ================================= Topic: Malformed ELF interpreter causes system crash Version: NetBSD-current: source prior to March 17, 2006 NetBSD 3.0: affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected Severity: Any local user can crash the system Fixed: NetBSD-current: March 17, 2006 NetBSD-3-0 branch: March 20, 2006 (3.0.1 will include the fix) NetBSD-3 branch: March 20, 2006 NetBSD-2-1 branch: March 20, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: March 20, 2006 (2.0.4 will include the fix) NetBSD-2 branch: March 20, 2006 Abstract ======== A malformed copy of ld.elf_so, or any other elf interpreter, can cause a NULL pointer deference in the kernel. Technical Details ================= The elf_load_file() function assumed that an interpreter always has a PT_LOAD section defined in it's header. That is not necessarily the case, as an attacker can trivially create an interpreter that does not have that, and a binary that uses that interpreter. The netbsd-2, netbsd-2-0 and netbsd-2-1 branches are only vulnerable if the kernel is compiled with the USE_TOPDOWN_VM option which is not set by default in GENERIC kernels. Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/kern/exec_elf32.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Eric Haszlakiewicz for PoC code and implementing the fixes. Coverity for access to the scans of the NetBSD source code. Revision History ================ 2006-03-29 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-008.txt,v 1.5 2006/03/29 11:14:28 adrianp Exp $ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================