Submitted by University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD‘s Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release.
Nice and a serious slap into OpenBSD’s face, hah Theo? …
I wouldn’t call it a serious slap. It may be a serious problem, but if you think you can do better then by all means… do better.
I have faith that the *BSD developers will sort it all out.
Not really, since Theo has always said systrace is problematic which is, among other things, why it isnt used by default. If systrace is your only line of the defense, well, then you get what you deserve.
But hey, dont let facts get in the way of a nice flamewar.
.. that this is only exploitable on multiprocessor systems.
Also, it seems that there is a solution available:
There is a straight forward solution for this problem. The initial
prototype of Systrace had a look-aside buffer in the kernel for
copyin. I told Robert about this, not sure if he mentioned that in
his paper or not. There obviously would be some associated
performance impacts. (Niels Provos, on the OpenBSD mailing list)
Still pretty serious though.
No, this is exploitable also on Uniprocessor systems.
Read the paper/slides before posting comments.
http://www.watson.org/~robert/2007woot/
Rough day for the OpenNetBSD camps.
What’s the saying, “What doesn’t kill you makes you stronger?”
This would only be rough if there was a worm of somesort mass turning OpenBSD boxes into bots. Since this is very unlikely, it isn’t a bad day.
Those guys live for finding new ways to break code and are probably pretty excited about this.
That’s true. It could be worse then a little dirt on the “Secure by Default” slogan and fodder for the OS fanboy cannons.
“Just so it is clear, systrace is just a tool included in the distribution. It is not used by anything in the base system by default but be wary of using this tool as it stands.”
http://undeadly.org/cgi?action=article&sid=20070809201304
The NetBSD Toaster has a clear i/o channel (bread goes in the slot, toast goes out the slot), so that is at least one architecture that should be invulnerable to attack. If these researchers can have the machine produce toast without bread, then this may be bigger than I thought.
I don’t doubt that it’ll be fixed in a few weeks.
This has been in the BUGS section of systrace for a while.
“BUGS
Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.”
This has never been something that is enabled by default so I do not see how this can be a serious problem.
Watson has done some very interesting research though and it’s good somebody decided to really dive into it and see what the problems in. Kudos!
NetBSD toaster does not check its input,
you can feed anything there.
Browser: Emacs-w3m/1.4.4 w3m/0.5.2