Concurrency Vulnerability: systrace, sudo, sysjail

Light Blue Touchpaper » USENIX WOOT07, Exploiting Concurrency Vulnerabilities in System Call Wrappers, and the Evil Genius:

Sysjail has been withdrawn, and they recommend against using it. From their site:

Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace, are vulnerable to exploitation. Details available here [first link above]. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace tools, including systrace). All versions are vulnerable on all architectures. Specifically, the bind and sysctl (and possibly other) functions may have their arguments re-written after being examined by the sysjail. This, in effect, leads to a total bypass of the prison. [my emphasis]

NetBSD has disabled Systrace by default in their upcoming release. OpenBSD is affected. This vulnerability also affects anti-virus software applications.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: