Advisories : ncurses allows local privilege escalation [REVISED]

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : ncurses allows local privilege escalation [REVISED]

Title:	ncurses allows local privilege escalation [REVISED]
Released by:	FreeBSD
Date:	20th November 2000
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================

FreeBSD-SA-00:68 Security Advisory

FreeBSD, Inc.

Topic: ncurses allows local privilege escalation [REVISED]

Category: core, ports

Module: ncurses

Announced: 2000-11-13

Revised: 2000-11-20

Affects: FreeBSD 5.0-CURRENT, 4.x prior to the correction date.

FreeBSD 3.x not yet fixed.

Corrected: 2000-10-11 (FreeBSD 4.1.1-STABLE)

2000-11-10 (ncurses port)

Credits: Jouko Pynnonen

FreeBSD only: NO

0. Revision History

v1.0 2000-11-13 Initial release

v1.1 2000-11-20 Corrected status of 3.x, referenced ncurses port

I. Background

ncurses is a text-mode display library used for formatting the output

of applications on a variety of terminals. It is externally

maintained, contributed code which is included in FreeBSD by default.

II. Problem Description

There exists an overflowable buffer in the libncurses library in the

processing of cursor movement capabilities. An attacker can force a

privileged application to use the attacker's termcap file containing a

specially crafted terminal entry, which will trigger the vulnerability

when the vulnerable ncurses code is called. This allows them to

execute arbitrary code on the local system with the privileges of the

exploited binary.

The systat utility included in the FreeBSD base system is known to use

vulnerable ncurses routines. It runs with increased privileges as a

member of the kmem group, which allows it to read from kernel memory

(but not write to it). A process with the ability to read from kernel

memory can monitor privileged data such as network traffic, disk

buffers and terminal activity, and may be able to leverage this to

obtain further privileges on the local system or on other systems,

including root privileges.

There may be other vulnerable applications included in the FreeBSD

base system, but no others are confirmed to be vulnerable due to the

difficulty in identifying a complete list of vulnerable ncurses

functions. However the following is a complete list of FreeBSD system

binaries which link against ncurses and run with increased

privileges. They may or may not be vulnerable to exploitation.

/usr/sbin/lpc

/usr/bin/top

/usr/bin/systat

FreeBSD 3.x and earlier versions use a very old, customized version of

ncurses which is difficult to update without breaking

backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x

will not be updated to the newer version. At this stage the

vulnerability has not been fixed in FreeBSD 3.x.

The ncurses port (versions prior to 5.2) also contains this

vulnerability. It was corrected prior to the release of FreeBSD 4.2.

III. Impact

Certain setuid/setgid software (including FreeBSD base system

utilities and third party ports/packages) may be vulnerable to a local

exploit yielding privileged access.

The /usr/bin/systat utility is known to be vulnerable to this problem

in ncurses. At this time is unknown whether /usr/bin/top and

/usr/sbin/lpc are also affected.

The problems were corrected prior to the release of FreeBSD 4.2.

IV. Workaround

It is not feasible to reliably detect binaries which are vulnerable to

the ncurses vulnerability, however the provided utility will scan for

privileged binaries which use ncurses and which may potentially be

vulnerable. Some of the binaries reported may not in fact be

vulnerable, but should be recompiled anyway for maximum assurance of

security.

Statically linked binaries which are identified as potentially

vulnerable should be recompiled from source code if possible, after

patching and recompiling libc, in order to correct the vulnerability.

Dynamically linked binaries will be corrected by simply patching and

recompiling libc as described below.

As an interim measure, consider removing any identified setuid or

setgid binary, removing set[ug]id privileges from the file, or

limiting the file access permissions, as appropriate.

Of course, it is possible that some of the identified files may be

required for the correct operation of your local system, in which case

there is no clear workaround except for limiting the set of users who

may run the binaries, by an appropriate use of user groups and

removing the "o+x" file permission bit.

1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from

http://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh

http://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh

e.g. with the fetch(1) command:

# fetch http://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh

Receiving scan_ncurses.sh (381 bytes): 100%

381 bytes transferred in 0.1 seconds (7.03 kBps)

# fetch http://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh

Receiving test_ncurses.sh (604 bytes): 100%

604 bytes transferred in 0.1 seconds (6.55 kBps)

2) Verify the md5 checksums and compare to the value below:

# md5 scan_ncurses.sh

MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1

# md5 test_ncurses.sh

MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e

3) Run the scan_ncurses.sh script against your system:

# chmod a+x ./test_ncurses.sh

# sh scan_ncurses.sh ./test_ncurses.sh /

This will scan your entire system for setuid or setgid binaries which

make use of the ncurses library. Each returned binary should be

examined (e.g. with 'ls -l' and/or other tools) to determine what

security risk it poses to your local environment, e.g. whether it can

be run by arbitrary local users who may be able to exploit it to gain

privileges.

4) Remove the binaries, or reduce their file permissions, as appropriate.

V. Solution

Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the

correction date, or patch your present system source code and

rebuild. Then run the scan_ncurses.sh script as instructed in section

IV and identify any statically-linked binaries as reported by the

script. These should either be removed, recompiled, or have privileges

restricted to secure them against this vulnerability (since

statically-linked binaries will not be affected by simply recompiling

the shared libc library).

To patch your present system: download the updated ncurses code from

the below location, and execute the following commands as root:

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz

# fetch http://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc

Verify the detached PGP signature using your PGP utility.

cd /usr/src

tar xvfz /path/to/ncurses.tar.gz

cd /usr/src/lib/libncurses

make all

make install

In contrast to the usual practise, a simple patch fixing the security

vulnerability is not provided because the vendor did not make one

available, and the updated ncurses snapshot which fixed it contains

numerous other changes whose purpose and relation to the fix was

unclear.

[ncurses port]

If you have installed a vulnerable version of the ncurses port, one of

the following steps may be used to upgrade it:

1) Upgrade your entire ports collection and rebuild the ncurses port.

2) Deinstall the old package and install a new package dated after the

correction date, obtained from:

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/ncurses-5.2.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/ncurses-5.2.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/ncurses-5.2.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/ncurses-5.2.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/ncurses-5.2.tgz

3) download a new port skeleton for the ncurses port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The

portcheckout port is available in /usr/ports/devel/portcheckout or the

package can be obtained from:

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

http://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.4 (FreeBSD)

Comment: For info see http://www.gnupg.org

iQCVAwUBOhmaFlUuHi5z0oilAQG5MwP9FStZoFKPCqfciIbIcFrE0wLYuEOeI24S

j9D4rSwU1ALzHB7DMpeXmju5pDRROmgUTIOGnBN9FcXZly4lDN3Y9yyIeW6Ia5UZ

wWbkhxsn573kD3P00WHAB1F1ccbbK4+SPNLkdJDgyyqAC4SdgeJEg5+z+Wcx7d3E

t/Xsv/X1ylA=

=ZiMW

-----END PGP SIGNATURE-----